Security researchers at watchTowr Labs have uncovered a devastating chain of vulnerabilities in Sitecore Experience Platform that could allow attackers to completely compromise enterprise websites […]
AI Waifu RAT Exploits Users with Advanced Social Engineering Tactics
A sophisticated new malware campaign has emerged that weaponizes artificial intelligence and social engineering to target niche online communities. Security researchers have identified the “AI […]
Uncategorized
Root Cause of the Salesforce Breach
 
The root cause of the major Salesforce breaches that began around May 2025 was not a technical vulnerability in the Salesforce platform itself, but rather a combination of sophisticated social engineering attacks and the abuse of OAuth-connected app permissions. The attackers targeted employees at organizations using Salesforce, such as Google, Adidas, Chanel, and others, by impersonating IT or Salesforce support staff through voice phishing (vishing) calls. They convinced these employees, often with administrative privileges, to install a malicious version of the Salesforce Data Loader or to authorize a seemingly legitimate connected app.
Once the malicious app was installed or authorized, it initiated an OAuth flow, requesting broad access permissions. Victims, believing the app to be legitimate, granted these permissions, which allowed attackers to obtain OAuth tokens. These tokens provided persistent, privileged access to Salesforce data, bypassing multi-factor authentication (MFA) and other security controls. Attackers then used Salesforce’s APIs to exfiltrate large volumes of sensitive data, including customer contact details, sales notes, and, in some cases, HR or policyholder information.
Key points of the root cause:
- Social engineering (vishing): Attackers tricked employees into installing or authorizing malicious apps.
- OAuth token abuse: Malicious apps were granted broad permissions, allowing attackers to bypass MFA and gain persistent access.
- Human-centric breach: The attack exploited trust and familiarity, not a technical flaw in Salesforce.
- Misconfiguration and over-permissioned accounts: Many organizations lacked sufficient controls over app authorizations and user permissions, thereby increasing the risk and impact of such attacks.
How to Prevent Similar Breaches in the Future
To prevent similar breaches, organizations must adopt a multi-layered security approach that addresses both technical and human factors. Security experts, Salesforce, and industry best practices recommend the following measures:
1. Enforce Multi-Factor Authentication (MFA) Everywhere
- Require MFA for all users, including those accessing Salesforce and any connected third-party apps. This adds a critical layer of defense against credential theft.
2. Strengthen OAuth and Connected App Governance
- Implement strict controls and approval workflows for authorizing new connected apps.
- Regularly audit all connected apps and their permissions, removing unnecessary or unused integrations.
- Monitor for unusual or unauthorized app authorizations in real time.
3. Apply the Principle of Least Privilege
- Limit user and app permissions to only what is necessary for their roles and functions.
- Regularly review and update user roles, profiles, and access rights to prevent privilege creep and ensure ongoing security.
4. Conduct Regular Security Awareness Training
- Train employees to recognize and report social engineering attempts, such as phishing and vishing.
- Emphasize the importance of verifying requests for software installations or app authorizations, especially those received via phone or email.
5. Restrict Access with Trusted IP Ranges and Login Controls
- Configure Salesforce to allow logins only from trusted IP addresses and during approved hours.
- Block logins from suspicious or untrusted locations.
6. Enable Data Encryption
- Encrypt sensitive data at rest and in transit using Salesforce Shield Platform Encryption or similar tools.
7. Monitor and Audit Activity
- Use Salesforce Health Check, event monitoring, and audit logs to track user activity, configuration changes, and access patterns.
- Set up automated alerts for anomalous behavior, such as large data exports or new app authorizations.
8. Secure Third-Party Integrations
- Carefully vet all third-party apps and integrations to ensure their security posture and necessity.
- Use OAuth scopes to limit the data and actions accessible to each integration.
9. Regularly Back Up Data
- Implement automated, regular backups of Salesforce data and test restoration procedures to ensure business continuity in case of a breach.
10. Implement Zero-Trust Security Principles
- Continuously verify user identities and device health to ensure optimal performance.
- Assume no user or device is inherently trusted and enforce least-privilege access at every step.
11. Stay Current with Security Updates and Best Practices
- Regularly review Salesforce’s security advisories and update configurations as needed.
- Align Security Practices with Recognized Frameworks: To provide a structured approach to security management, it’s essential to align security practices with recognized frameworks such as NIST, CIS, and ISO.
12. Incident Response and Recovery Planning
- Develop and test incident response plans tailored to cloud and SaaS environments.
- Ensure regular backups and disaster recovery processes are in place.
Conclusion
The Salesforce breaches were fundamentally enabled by human error, social engineering, and insufficient governance of connected apps and OAuth tokens, rather than a technical flaw in Salesforce itself. To prevent similar incidents, organizations must combine robust technical controls (such as MFA, least privilege, and monitoring) with strong user education and vigilant management of third-party integrations. By adopting these best practices, companies can significantly reduce their risk of falling victim to similar attacks in the future.
The post Root Cause of the Salesforce Breach appeared first on .
​Read More
Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling
Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, […]
.webp?ssl=1)
Google Urges 2.5B Gmail Users to Reset Passwords After Salesforce Breach
A sophisticated voice phishing operation has emerged as a significant threat to organizations worldwide, with cybercriminals successfully infiltrating Salesforce environments to steal sensitive data and […]
QNAP Flaw Allows Attackers to Bypass Authentication
QNAP Systems has released security patches to address multiple vulnerabilities affecting QVR firmware in legacy VioStor Network Video Recorder (NVR) systems. The company disclosed two […]
Citrix 0-Day Flaw Under Active Exploitation Since May
Security researcher Kevin Beaumont has revealed alarming details about CVE-2025-6543, a critical Citrix NetScaler vulnerability that was actively exploited as a zero-day attack for months […]
Amazon Takes Down Russian APT29 Infrastructure Targeting Users
Amazon’s cybersecurity team has successfully disrupted a sophisticated watering hole campaign orchestrated by APT29, a notorious hacking group linked to Russia’s Foreign Intelligence Service. The […]
WhatsApp Issues Emergency Update for Zero-Click Exploit Targeting iOS and macOS Devices
WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild […]
Chinese hacking group Salt Typhoon expansion prompts multinational advisory
Pervasive Chinese hacking group Salt Typhoon continues to strike, this time setting its sights on the Netherlands. Dutch intelligence authorities have confirmed that the cyber […]