What Happened in the Salesforce Data Breach?
Microsoft has published research detailing a year-long campaign of intrusions into corporate Salesforce environments. The activity, which researchers tie to the data-extortion group known as ShinyHunters, ran from mid-2025 into mid-2026. Notably, the attackers never exploited a software flaw in Salesforce itself. Instead, they abused the trust built into OAuth connections that link Salesforce to outside apps and vendors.
Microsoft’s research, published in mid-July 2026, mapped the wider Salesforce data breach campaign to three separate techniques. The first involved vishing calls where attackers posed as IT support and talked employees into approving a fake connected app. The second relied on stolen OAuth tokens taken from compromised software vendors, including incidents involving Salesloft Drift, Gainsight, and Klue. The third exploited misconfigured guest access on Salesforce Experience Cloud sites, letting attackers pull data without ever logging in.
Because the traffic in each case came from a trusted user or an approved integration, standard sign-in and authentication monitoring largely missed it. As a result, the intrusions went unnoticed for extended periods. Microsoft worked with Salesforce afterward to build new detection and governance tools aimed at catching this kind of abuse going forward. The company’s investigation drew on incident data shared across multiple vendors and affected organizations throughout the campaign.
Who was affected?
The Salesforce data breach campaign touched organizations across many industries, including retail, education, and manufacturing. Because the attack paths targeted CRM platforms and connected business tools, the exposed data mostly belongs to corporate customers, business contacts, and support-case records rather than direct consumers in every instance.
Specific incidents named in the research include Google, Chanel, Pandora, Adidas, Qantas, Allianz Life, and several LVMH brands, tied to the vishing-based intrusions. The Salesloft Drift token theft alone potentially exposed more than 700 organizations, among them Cloudflare, Zscaler, Palo Alto Networks, Proofpoint, PagerDuty, and Tanium. The Gainsight incident affected more than 200 Salesforce instances, and the Klue compromise hit customers including Huntress and Recorded Future. A precise total victim count across the full campaign has not been publicly disclosed, though a group claiming the ShinyHunters name has claimed the Salesloft and Gainsight waves alone reached close to 1,000 organizations, a figure that has not been independently confirmed.
What Information Was Potentially Exposed?
The information exposed varies by incident and attack path, but generally centers on data stored inside Salesforce CRM instances and connected support platforms. In several cases, attackers specifically searched for credentials and secrets that could open access to additional systems.
- Business contact information, including names, emails, and phone numbers
- CRM records tied to customer accounts and sales pipelines
- Support case data and customer service records
- Credentials such as AWS keys, Snowflake tokens, and passwords found within stored data
- OAuth and refresh tokens tied to connected app integrations
- Records exposed through misconfigured guest access on Experience Cloud sites
Because much of the exposed data includes credentials and access tokens, the risk extends beyond the initial victim organizations. For example, attackers who harvested AWS keys or Snowflake tokens could potentially pivot into other cloud systems. This kind of secondary exposure makes it harder to fully scope the damage from any single incident.
For individuals whose contact information appeared in exposed business records, the main risk involves targeted phishing and social engineering. Attackers with access to real names, emails, and business relationships can craft convincing follow-up scams. In addition, when support-case data is exposed, it can reveal sensitive details about a customer’s account history or internal business issues, which scammers can use to impersonate legitimate vendors.
What is the company doing?
In response to the campaign, Microsoft worked directly with Salesforce to build new detection and governance tooling. This includes an upgraded Salesforce connector for Defender for Cloud Apps that ties suspicious activity to a specific connected app and its granted OAuth scopes. The tool also adds session and API context that was previously missing from standard authentication logs.
Beyond detection, Microsoft and Salesforce added posture management features. These include a view of highly privileged apps holding elevated permissions, a way to flag apps that have sat unused for 90 days or more while retaining live access, and a risk score for each connected app. Salesforce also disabled or pulled several compromised third-party apps, including those tied to Gainsight and Klue, once unusual API activity was detected. Individual vendors involved, such as Salesloft, conducted their own root-cause investigations and traced some incidents back to earlier compromises of internal systems.
What Should Affected Individuals Do?
Watch for Phishing and Vishing Attempts
Because this campaign began with a phone call impersonating IT support, affected individuals and employees should treat unexpected calls asking for login approval with suspicion. If someone calls claiming to be IT support and asks you to approve an app or share a code, hang up and call back using a known, verified number.
This same caution applies to follow-up emails or texts referencing your business relationship with a breached vendor. Scammers often use stolen contact data to make phishing attempts look more convincing. Therefore, always verify a sender’s identity through a separate channel before clicking links or sharing information.
Monitor Accounts and Credit Reports
Anyone notified that their data may have been involved in this campaign should regularly check their financial accounts and credit reports for unfamiliar activity. Free credit reports are available annually from each of the three major bureaus, and reviewing them can help catch fraud early.
In addition, consider setting up account alerts for unusual login attempts or transactions. Because some of the exposed data included credentials and tokens, it is worth changing passwords on any accounts that may have shared login information with an affected vendor.
Consider a Fraud Alert or Credit Freeze
If your personal information, including business contact details tied to financial accounts, was part of any of these incidents, placing a fraud alert with the credit bureaus adds an extra layer of protection. A fraud alert requires lenders to take extra steps to verify your identity before extending credit in your name.
For stronger protection, a credit freeze restricts access to your credit report entirely, making it harder for identity thieves to open new accounts. Because these breaches involved credential harvesting in some cases, individuals whose financial information may have been indirectly exposed should weigh this option carefully.
Know Your Rights and Consider Legal Options
Given the scale of this campaign and the number of organizations involved, affected individuals may have grounds to pursue compensation, particularly if a specific company failed to secure its systems adequately. Consulting a data breach attorney for a free case evaluation can help clarify whether you qualify for any claim.
Because multiple companies and vendors were involved across this year-long campaign, the specific notification and legal timelines may vary by incident. As a result, affected individuals should keep any breach notification letters they receive and act promptly once informed.
More Information
Official data breach notification from Oregon Department of Justice
