Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- The FBI warned about the alarming trend of compromised accounts.
- The success rate of threat actors could tarnish Salesforce’s reputation.
- The most recent wave of attacks was likely preventable.
Since Salesforce’s founding in 1999, the company’s executive team has made trust the top priority for the organization and its employees. In a post titled “Trust is our #1 value,” the company states that “our trust-first culture is based on ensuring that our customers know their data is safe, and theirs — to be accessed when, where, and how they intend.”
However, recent data thefts involving Salesforce’s infrastructure suggest that the cloud company is encountering avoidable difficulties in delivering on that promise.
Also: Your passkeys could be vulnerable to attack, and everyone – including you – must act
ZDNET’s research reveals that Salesforce could be doing more to secure the parts of its platform that were exploited in recent attacks. In preparing this report, I interviewed Salesforce chief trust officer Brad Arkin as well as cybersecurity experts from AppOmni, Google Cloud Mandiant, and Okta. (Okta’s brand was hijacked in some versions of the attacks in question, but Okta’s platform itself was not a part of those attacks.)
A giant platform with a target on its back
For Salesforce customers, 2025 has been a particularly brutal year. A long (and growing) list of organizations — many of which are household names — have reported massive and malicious exfiltrations of sensitive customer data followed by demands for cryptocurrency ransoms.
While several companies have openly cited their instances of Salesforce as the targets of these attacks, others have coyly and generically referred to a third-party application in their disclosures. Various media reports have insinuated that Salesforce was the affected system in many of those cases. The FBI has issued a flash warning regarding the attacks on Salesforce accounts. And now, 14 of the company’s customers have filed lawsuits in connection with the attacks.
Also: Employees learn close to nothing from phishing training, and this is why
Salesforce has acknowledged that customers’ instances of its platform have been targeted during the recent wave of attacks. On Aug. 7, 2025, the company published an Informational Message stating that “Salesforce platform has not been compromised and this issue is not due to any known vulnerability in our technology.” A March 2025 company blog post notes that threat actors “have been reported luring our customers’ employees and third-party support workers to phishing pages designed to steal credentials and [multi-factor authentication] tokens or prompting users to navigate to the login.salesforce[.]com/setup/connect page in order to add a malicious connected app.”
The list of victim organizations reads like a who’s who of well-known brands — Allianz Life, LVMH (parent to Louis Vuitton, Dior, and Tiffany & Co.), Quantus, Cisco, Chanel, Google, and Workday, just to name a few. And the list is growing. In recent weeks, Proofpoint, SpyCloud, Tanium, and Tenable added their names to the victim list, potentially bringing the total to over 700 companies.
In late August, TransUnion notified the Maine and Texas attorneys general of a July 28, 2025, breach that was sourced to a third-party application. What’s so special about Maine and Texas? According to Joseph Rosenbaum, a New York-based attorney specializing in cybersecurity, privacy, and data protection at Rimon Law, “both states have specific (and time-sensitive) disclosure requirements when data breaches affect more than a certain number of their residents and require reporting to their Attorneys General.”
Although the credit reporting bureau did not name Salesforce, Fox News was among several news outlets to make the connection. Fox News stated that the breach “appears to be part of a broader wave of Salesforce-related attacks that is hitting organizations across sectors, from tech and finance to retail and aviation.”
Also: 5 ways to spot software supply chain attacks and stop worms – before it’s too late
Cory Michal, chief security officer at SaaS security solution provider AppOmni, told me that “based on the tactics, techniques, and procedures (TTPs) observed, along with the timing of the attack and available threat intelligence, the TransUnion incident aligns closely with the ongoing [attacks] targeting Salesforce environments.” The Fox News report mentioned Air France-KLM as yet another target.
In an interview for this story, Okta vice president of threat intelligence Brett Winterford told me that “the list is longer than the people who have disclosed so far. It is a very long list.” As this article was being written, new reports were emerging about ransomware attacks involving similar TTPs on Gucci, Balenciaga, and Alexander McQueen. Okta is…
Source link
