Salesforce CRM Breaches: Social Engineering Strikes at the Heart of Corporate Data

In 2025, a coordinated wave of attacks on Salesforce CRM environments shook some of the world’s largest brands. Unlike the typical breach narrative involving software flaws or zero-day exploits, this campaign underscores something far more human—and far more dangerous: social engineering.

Known Affected Companies

Multiple global organizations have confirmed or are strongly linked to this campaign, including:

• Google – Breach of a Salesforce instance used for SMB Ads prospects; ~2.55 million records reportedly exposed.
• Pandora – Customer names and emails compromised.
• Allianz Life – Investigation citing ~1.4 million impacted customers.
• Cisco – CRM data such as names, user IDs, emails, and phone numbers affected.
• Adidas
• Louis Vuitton, Dior, Tiffany & Co. (LVMH brands)
• Qantas
• Chanel
• Air France–KLM
• Coca‑Cola

The activity has been widely attributed to the ShinyHunters cybercriminal group, also tracked as UNC6040 for intrusions and UNC6240 for extortion.

How the Breach Happened

The core technique was voice phishing (vishing). Attackers posed as internal IT staff, calling employees and persuading them to authorize a seemingly legitimate Connected App in Salesforce—often a modified version of a data export tool. Once authorized, this app could query CRM records via API and exfiltrate large datasets.

It is important to note there is no indication of a platform-level compromise of Salesforce itself. The weakness exploited was human trust and process gaps around app authorization.

If you want a quick primer, we explain vishing clearly here: What Is Vishing and How Does It Work?

Risks to Organizations

Even where passwords or payment details were not included, the business impact can be significant. Exposed CRM data often contains the crown jewels of go‑to‑market operations: contact identities, decision paths, deal notes, and relationship histories. The risks include targeted follow‑on phishing, competitive intelligence leakage, reputational damage, and potential regulatory scrutiny under frameworks like GDPR or CCPA.

The Social Engineering Factor (and Why Training Matters)

These incidents are a reminder that persuasive social engineering can punch straight through sophisticated technical controls. The most effective countermeasure is a workforce that recognizes and resists manipulation tactics—especially when requests involve urgency, authority, or exceptions to normal process.

Recommendations for Salesforce CRM Security

Defense here is about tightening controls around app authorization, improving identity assurance, and monitoring data egress patterns. Focus on the following:

• Enforce MFA everywhere (users and API flows where applicable) and block legacy authentication.
• Restrict Connected App approvals to a small, trained admin group; apply least‑privilege scopes and short‑lived tokens.
• Continuously audit Connected Apps; remove unused or unknown integrations, and verify publishers.
• Validate IT requests via a trusted backchannel (ticket number + callback policy) before any app authorization.
• Monitor API usage and exports; alert on anomalous query volumes, hours, or objects (e.g., mass contact exports).
• Run regular vishing/phishing simulations and refresh training quarterly to keep staff vigilant.

Conclusions

The 2025 Salesforce CRM breaches show that robust platforms can still be undermined by social engineering. Technology alone is not enough. Organizations that pair strong access controls and monitoring with disciplined process and user education are far better positioned to withstand these campaigns.

The bottom line is straightforward: your CRM’s security posture is only as strong as your least prepared employee. Invest in your people with realistic training, and tighten the pathways that allow unvetted apps to touch your data.