Several data breaches affecting a wide range of companies that use Salesforce have been reported in recent weeks. These incidents have impacted organizations across various sectors, including technology, retail, and insurance. The exposed data has varied by victim but has commonly included customer contact information, internal business records, and even sensitive data like API tokens and credentials.
Sercante clients can be assured that our systems have not been impacted by these recent attacks, however we want to make sure that Salesforce customers are aware of these incidents and are equipped to safeguard their instances.
How the Breaches Occurred
The recent breaches are not due to a vulnerability within the Salesforce Core platform itself. Instead, threat actors have used sophisticated social engineering and supply chain attacks to gain unauthorized access.
One common method has been targeted voice phishing (vishing) campaigns. In these attacks, bad actors impersonated legitimate employees or IT support staff to trick victims into downloading a malicious replica of Data Loader and granting access to their Salesforce environments.
In a recent and widespread campaign, attackers leveraged compromised OAuth tokens for a third-party application, Salesloft Drift. By exploiting the integration between the app and Salesforce, the threat actors were able to export large volumes of data and credentials from numerous corporate Salesforce instances in what is called a “supply-chain attack”. . The attackers were able to steal “digital keys,” or authentication tokens, from the Drift app. They then used these stolen keys to access and steal data and credentials like passwords, API keys, and access tokens for other services that could be used to compromise other systems integrated with Salesforce.
This highlights a critical risk: while the core platform may be secure, its connections to third-party apps can introduce vulnerabilities.
Risk to Salesforce Customers
The primary risk to Salesforce customers lies in the potential for stolen data to be used for further attacks. Customer contact information and other details can be weaponized in targeted and highly convincing phishing and social engineering campaigns to gain access to other corporate systems. The exposure of sensitive information like API tokens and credentials poses a significant threat, as it can be used to compromise connected systems, such as other cloud platforms or internal networks.
UPDATE: If you are a Drift customer – Salesloft has announced plans to shut down its Drift chatbot following their recent security breaches. This no doubt presents a challenge to your website engagement strategy. The Sercante team is well-versed in the various conversational platforms that integrate seamlessly with Salesforce and can help you navigate this transition.
Recommended Actions for Protection
While Salesforce has taken steps to restrict the use of “uninstalled connected apps”, customers should take steps to protect themselves from similar threats:
- Reauthenticate Drift Connections: Salesloft Drift customers will need to reauthenticate their Salesforce integration with Drift. It’s also advised that any and all authentication tokens stored in or connected to the Drift platform should be considered potentially compromised and update them immediately.
- Rotate all credentials and keys: Immediately change any passwords, API keys, and other access tokens that were stored in your Salesforce instance
- Investigate your Salesforce account: Look for any unusual activity in your Salesforce login history, audit trails, and API access logs from early to mid-August 2025. Look for suspicious logins or data access patterns, particularly from the user account associated with the Drift integration.
- Audit Third-Party Apps: Audit your connected apps to make sure they are secure, and make sure that all third-party apps connected to your Salesforce account have only the minimum permissions they need to do their job and revoke access for any app that is no longer in use.
- Secure APIs and Integrations: When configuring new integrations, restrict API access by defining trusted IP ranges and ensuring that connected apps have the most restrictive scope possible.
- Apply the Principle of Least Privilege: Limit user permissions to only what is necessary for their job role. Restrict administrative access and minimize the use of permissions like “Modify All Data.”
- Be on high alert for phishing: Warn your employees to be extra cautious about any unexpected or unusual emails, phone calls, or messages. The attackers may use the stolen contact information to try and trick people into giving up more sensitive data.
- Rinse & Repeat: Security isn’t a set it and forget it function. It takes constant and consistent vigilance to protect your systems and data.
While the core Salesforce platform is secure, recent data breaches are a reminder that a company’s security is only as strong as its weakest link, which is often a third-party app or a human being. To stay safe, you have to be proactive. By using strong security practices, enforcing strict access rules, and training your team, you can drastically improve your defenses. Ultimately, keeping your data safe is a team effort—you, Salesforce, and all of your employees have a role to play.
If you’d like a guide to help you navigate how to optimize data protection in your organization with Salesforce, reach out to the Sercante team. Our experts can be your guide for impactful next steps.
