In 2025, one of the most coordinated and devastating SaaS-targeted cyber campaigns in recent history struck—and its bull’s-eye was Salesforce customers.
From Google to Adidas, from LVMH to Coca-Cola, attackers drained customer data like a ruptured artery, all without exploiting a single Salesforce vulnerability. The weapon? A phone call and a fake app.
This isn’t just another “data breach report.” This is the blueprint of a global supply-chain style attack that’s already in motion – and if your organization uses Salesforce, you’re already on the target list.
The Campaign: One Playbook, Many Victims
The ShinyHunters hacking group, notorious for breaches at AT&T, Snowflake, Ticketmaster, and Santander, launched a vishing-driven attack that combined low-tech social engineering with Salesforce’s OAuth connected app feature.
The method was nearly identical across victims:
- Vishing Call — Attackers posed as IT or Salesforce support.
- Malicious Connected App — Disguised as “Salesforce Data Loader” or a CRM utility.
- OAuth Access Granted — Employees entered an 8-digit code, unknowingly giving attackers API-level permissions.
- Data Exfiltration — Customer records, sales pipelines, HR data — anything the victim could see, the attackers could steal.
Why it worked: Salesforce trusted OAuth tokens too much, and most companies had no live monitoring for new app authorizations.
High-Profile Breach Victims & What Was Stolen
| Company | Attack Vector | Data Exposed | Estimated Impact |
|---|---|---|---|
| Vishing + Fake Data Loader App | SMB contact info & sales notes | Undisclosed | |
| Adidas | Fake CRM utility with OAuth access | Customer entries | Tens of thousands |
| LVMH (Louis Vuitton, Dior, Tiffany & Co.) | IT impersonation, OAuth hijack | Customer profiles | Hundreds of thousands |
| Allianz Life | Fake Salesforce integration tool | Contact info + policy data | 1.4 million |
| Coca-Cola Europacific Partners | Fake analytics app | 23 million records | 23M |
| Pandora | Third-party CRM provider breach | Names & emails | Undisclosed |
Common thread: MFA bypass via OAuth and rapid bulk API data pulls.
Understand what are the Common Causes of Data Breaches
Why This Isn’t a Salesforce Bug — And Why That’s Scarier
Salesforce confirmed there was no zero-day exploit. This was human zero-day exploitation — tricking employees into willingly granting access.
Fact: If your Salesforce admin approves a connected app with full data access, the attacker doesn’t need passwords, MFA, or exploits.
The Supply Chain SaaS Risk
When you rely on a third-party SaaS like Salesforce:
- You inherit their attack surface.
- You lose direct visibility into some access logs.
- One breach can cascade to hundreds of organizations.
In this case, ShinyHunters hit multiple global brands within weeks using the same tactics — a dangerous sign of platform monoculture risk.
CHeck this guide to Prevent Data Breaches
How to Protect Your Salesforce Environment (Now, Not Later)
If your company runs Salesforce, assume you are a target. Here’s a hardened checklist:
1. Lock Down Connected Apps
- Disable installation of unverified apps.
- Require admin review for all OAuth scopes.
2. Tighten Role-Based Access Control (RBAC)
- Limit who can run bulk exports or API queries.
3. Monitor in Real-Time
- Alert on new app authorizations instantly.
4. Restrict API Access
- Whitelist IP ranges and watch for abnormal queries.
5. Revoke Stale Tokens
- Clear unused OAuth permissions regularly.
6. Train Against Vishing
- Simulate phishing calls to prepare staff.
Strategic Takeaways
- Your vendor’s risks are your risks — treat SaaS like it’s in your own data center.
- Social engineering will bypass tech controls — train your humans as aggressively as you patch your software.
- When one platform dominates an industry, attackers scale fast – a single campaign can compromise dozens of enterprises.
A Comprehensive Guide - Defending Against Identity-Based Attacks
Final Word: This was not a breach of technology – it was a breach of trust. And until organizations treat SaaS-connected apps with the same rigor as on-prem systems, the next ShinyHunters campaign is already writing itself.
Pro Tip: If your “IT department” calls and asks you to install or connect a new Salesforce app, hang up and verify internally. That one decision could save millions.