In September 2025, the global cybersecurity landscape was shaken by reports of a massive data compromise involving Salesforce, one of the world’s most trusted SaaS providers. Initial headlines suggested a catastrophic failure of Salesforce’s core infrastructure. However, as the digital dust settled and forensic reports from the FBI and Mandiant emerged, a more nuanced and complex reality was revealed.

The events of September 2025 did not involve a direct breach of the Salesforce core platform. Instead, they represented a sophisticated, multi-pronged campaign targeting the SaaS supply chain and exploiting the "weaponized trust" between Salesforce and its third-party integrations. Specifically, a massive compromise of the Salesloft-Drift integration and a parallel voice-phishing (vishing) campaign allowed threat actors to exfiltrate an estimated 1.5 billion records from over 760 organizations.

The Immediate Reality of the September 2025 Incident

To clarify the situation for IT leaders and security professionals: Salesforce’s internal servers, databases, and core software remained uncompromised. The breach occurred at the intersection of third-party applications and customer-managed OAuth permissions.

Attackers utilized stolen OAuth tokens and social engineering tactics to gain "authorized" access to customer environments. This distinction is critical for understanding why traditional perimeter defenses failed and why organizations like Cloudflare, Palo Alto Networks, and Zscaler found their Salesforce instances accessed despite having world-class security protocols.

The Anatomy of the Salesloft and Drift Integration Attack

The primary engine of the September 2025 crisis was a supply chain attack centered on Salesloft and its AI chatbot subsidiary, Drift. This incident serves as a textbook example of how a vulnerability in a secondary service provider can cascade into a primary platform disaster.

The GitHub Entry Point

The campaign began months prior, in early 2025, when threat actors—identified as UNC6395 and linked to the ShinyHunters collective—gained unauthorized access to Salesloft’s internal GitHub repositories. Using automated secret-scanning tools like Trufflehog, the attackers identified hardcoded credentials and administrative OAuth tokens embedded within the source code of the Drift and Drift Email platforms.

By March and June 2025, the actors had established persistence within the Salesloft development environment. They did not immediately exfiltrate data; instead, they moved laterally into the company’s Amazon Web Services (AWS) infrastructure. From this vantage point, they were able to harvest a massive cache of active OAuth tokens belonging to Drift’s enterprise customers.

The Power of OAuth Token Abuse

In a standard Salesforce environment, the Drift chatbot requires "Connected App" permissions to sync contact data, chat logs, and lead information. When the attackers stole these tokens, they essentially acquired a "master key."

Because OAuth tokens represent a pre-authorized session, the attackers could bypass:

  1. Multi-Factor Authentication (MFA): The "handshake" had already occurred and was trusted.
  2. Standard Login Monitoring: The access appeared as legitimate API traffic from a trusted integration.
  3. Geographic Restrictions: By routing traffic through infrastructure that mimicked Drift’s typical IP ranges, the actors remained undetected for weeks.

Throughout August and early September, the attackers used these tokens to programmatically scrape Salesforce tables, including Account, Contact, Opportunity, and Case records.

The Parallel Threat: UNC6040 and the Vishing Campaign

While the Salesloft attack was a technical supply chain exploit, a second threat group, UNC6040, was conducting a simultaneous campaign based on human manipulation. This group focused on "vishing" (voice phishing), targeting the administrative staff of Salesforce customers.

In these attacks, threat actors impersonated IT support personnel or Salesforce consultants. Using deepfake audio technology or highly practiced scripts, they convinced employees to authorize "temporary diagnostic applications" within their Salesforce environments. These applications were, in fact, malicious "Connected Apps" designed to establish a persistent backchannel for data exfiltration.

Our analysis of the vishing scripts used in September 2025 shows a high degree of sophistication. The attackers often referenced internal project names or recent support tickets (likely obtained from earlier data leaks), making their calls nearly indistinguishable from legitimate corporate communications.

Quantifying the Damage: 1.5 Billion Records and "Secrets Within Secrets"

The scale of the September 2025 incident is staggering. The ShinyHunters group claimed credit for the theft of 1.5 billion records across 760 organizations. However, the raw volume of data is only half of the story; the nature of the data represents a long-term strategic threat.

Targeted Salesforce Objects

The data exfiltrated was not limited to basic contact info. The attackers specifically targeted:

  • Case Objects: These contain customer support histories, which often include sensitive troubleshooting data, internal system architectures, and—most dangerously—administrative credentials or API keys shared by employees during support sessions.
  • Opportunity Objects: Detailed sales pipelines, pricing structures, and contract terms, providing competitors with an unprecedented look into corporate strategy.
  • User Objects: Metadata about every employee in a Salesforce instance, which is now being used to fuel secondary, highly targeted phishing campaigns.

The "Downstream" Risk

Google Mandiant’s threat intelligence highlighted a critical secondary risk: "secrets within secrets." Attackers used automated scripts to search the stolen Case and Description fields for AWS access keys, Snowflake tokens, and GitHub personal access tokens (PATs). This allowed the actors to pivot from Salesforce into the broader cloud infrastructure of their victims.

Why Leading Tech Companies Were Vulnerable

One of the most concerning aspects of the September 2025 event was the list of confirmed victims. Companies such as Cloudflare, Zscaler, and Palo Alto Networks are the gatekeepers of modern cybersecurity. Their involvement underscores a fundamental shift in risk: you are only as secure as your most permissive integration.

In many of these cases, the companies had implemented rigorous MFA and Zero Trust architectures for their internal systems. However, the Drift integration existed in a "security blind spot." Because the chatbot was viewed as a productivity tool rather than a core infrastructure component, its OAuth permissions were often overly broad (e.g., Full Access or api_refresh_token).

Furthermore, the "Connected App" model in Salesforce relies on a shared trust. Once a customer authorizes a third-party app, they are essentially trusting that third party’s internal security. When Salesloft’s GitHub was compromised, that trust was weaponized against every one of their customers.

How to Audit Your Salesforce Instance for Unauthorized Access?

Following the FBI’s FLASH alert on September 12, 2025, organizations were urged to perform immediate audits. If you are managing a Salesforce environment, the following steps are non-negotiable for ensuring your data has not been quietly exfiltrated.

1. Review Connected App Usage

Navigate to Setup > App Manager. Look for any applications that you do not recognize or that have not been updated in several months. Specifically, audit the "Drift" and "Salesloft" integrations. Salesforce took the unprecedented step of disabling these integrations globally in early September, but administrative "leftovers" may still exist.

2. Analyze OAuth Usage Logs

Salesforce provides an "OAuth Usage" page. Review the "User Count" and "Revoke" columns. If you see high volumes of API calls coming from an integration during non-business hours, or from IP addresses inconsistent with the vendor’s known range, this is a major indicator of compromise (IoC).

3. Inspect the 'Case' Object for PII and Secrets

Run a query on your Case and Attachment objects. Search for strings like "password," "key," "access_token," or "secret." If your employees have been posting sensitive credentials into support tickets, those credentials must be rotated immediately, as they were the primary targets for UNC6395.

4. Monitor for "Shadow" Connected Apps

Attackers often create their own apps with names like "System Audit Tool" or "Salesforce Optimizer." Check the OAuth Connected Apps list for any app created by a user who does not typically manage integrations.

Salesforce’s Response and the Shared Responsibility Model

In the wake of the September 2025 incidents, Salesforce’s leadership, including CEO Marc Benioff, maintained a firm stance. The company refused to pay ransom demands from the "Scattered Lapsus$ Hunters" (a conglomerate of ShinyHunters and other groups) and emphasized that the core Salesforce infrastructure remained intact.

This incident has reignited the debate over the SaaS Shared Responsibility Model. While Salesforce provides the secure "fortress," the customer is responsible for:

  • Who they let through the gate (OAuth permissions).
  • Which third-party vendors they trust (Supply chain vetting).
  • How their employees behave (Vishing awareness).

By disabling the Salesloft-Drift integrations, Salesforce demonstrated its "kill switch" capability, but the 1.5 billion records were already gone. This highlights the delay between an initial supply chain breach (at Salesloft in early 2025) and the eventual data exfiltration (in August/September 2025).

Strategic Lessons for the Post-2025 Cybersecurity Era

The September 2025 Salesforce data incident is a watershed moment for SaaS security. It marks the end of the era where "integrations" were treated as secondary security concerns. Moving forward, the industry is likely to adopt several key changes:

The Rise of SaaS Security Posture Management (SSPM)

Organizations can no longer manually audit their SaaS footprints. Tools that provide continuous monitoring of OAuth permissions, configuration drifts, and third-party risk scores are becoming mandatory.

Strict OAuth Scoping

The practice of granting "Full Access" to a chatbot or email tool must end. Security teams will move toward a "Principle of Least Privilege" for APIs, where an integration only has access to the specific fields and objects required for its function.

Vishing-Resistant MFA

As UNC6040 proved, traditional SMS or push-based MFA can be bypassed through social engineering. There will be an accelerated push toward FIDO2/WebAuthn hardware keys, which are significantly harder to compromise via vishing.

Summary of the Salesforce September 2025 Events

The events of September 2025 were not a failure of Salesforce’s code, but a failure of the interconnected ecosystem. By exploiting a third-party vendor (Salesloft/Drift) and the human element (vishing), attackers were able to achieve one of the largest data thefts in history.

For businesses, the takeaway is clear: your data is only as safe as the weakest link in your integration chain. Continuous auditing, restricted API permissions, and a "Zero Trust" approach to third-party apps are the only ways to prevent the next great SaaS breach.

Frequently Asked Questions

Was Salesforce itself hacked in September 2025? No. Salesforce’s core platform and infrastructure were not breached. The unauthorized access occurred through compromised third-party integrations (specifically Salesloft’s Drift) and social engineering attacks against individual customer employees.

What data was stolen during the Salesforce incident? Attackers exfiltrated approximately 1.5 billion records. The data included business contact information, sales opportunities, support case histories, and in some instances, embedded secrets like AWS keys and authentication tokens found within support tickets.

Who were the attackers behind the September 2025 breach? The attacks have been attributed to two main groups: UNC6395 (associated with the ShinyHunters collective), which handled the technical supply chain exploit, and UNC6040, which specialized in vishing (voice phishing) and social engineering.

How did the attackers bypass Multi-Factor Authentication (MFA)? The attackers bypassed MFA using two methods. First, by stealing OAuth tokens from a third-party provider, they utilized already-authorized sessions that did not require a new MFA prompt. Second, through vishing, they tricked employees into manually approving malicious access requests.

Which companies were affected by the Salesforce supply chain attack? Hundreds of organizations were impacted, including major tech and automotive brands. Notable confirmed victims mentioned in reports include Cloudflare, Palo Alto Networks, Zscaler, Cisco, Stellantis, and Jaguar Land Rover (JLR).

What should Salesforce administrators do now? Administrators should immediately audit all "Connected Apps," revoke unused or suspicious OAuth tokens, rotate any secrets found in Case objects, and implement stricter API access controls. Following the FBI's FLASH alert recommendations is highly advised.

Is it still safe to use third-party integrations with Salesforce? Yes, but they must be managed with a "Zero Trust" mindset. This involves regular security audits of vendors, enforcing the principle of least privilege for API permissions, and using SSPM tools to monitor for unauthorized access in real-time.

What was the role of the FBI in the September 2025 incident? On September 12, 2025, the FBI issued a FLASH alert providing Indicators of Compromise (IoCs) and technical details regarding the dual campaigns. They urged organizations to review their Salesforce connected apps and provided guidance on identifying unauthorized vishing-based integrations.

Did Salesforce pay the ransom demanded by the hackers? No. Salesforce publicly stated that they would not engage with or pay any extortion demands. The company focused on securing the ecosystem by disabling the compromised integrations and assisting customers with remediation.

How does this breach affect GDPR and CCPA compliance? Affected organizations may face significant regulatory scrutiny. Since personal identifiable information (PII) like names, emails, and passport numbers were involved, companies are required to follow mandatory breach notification protocols and may be subject to fines depending on their level of "reasonable security" measures.