In today’s connected business environment, companies depend on Salesforce for storing their most valuable client and company information Businesses in a variety of industries were hit by a wave of cyberattacks that targeted Salesforce environments in 2025.Even though the Salesforce platform is extremely secure, hackers have discovered a new and innovative method of breaking in the supply chain attack.
The numerous reliable apps and services you link to Salesforce, such as chat widgets and marketing tools, that have been given unique access to your data are the targets of this attack rather than your front door. A hacker can steal confidential data and bypass your primary defenses by breaching one of these external partners and obtaining their digital access key, making your trusted partner your weakest point.
Table of Contents
Understanding the Threat: Supply Chain Attack
When hackers target a business indirectly by taking advantage of flaws in its suppliers, vendors, or third-party software, this is known as a supply chain attack. To obtain sensitive information, apps, or systems, attackers hack into a reliable partner rather than going after the business directly. Because one weak link can expose numerous organizations at once, these attacks are especially deadly. Phishing tactics, fraudulent software updates, and unsafe third-party integrations are all examples of supply chain attacks. To stop hackers from breaking into their networks via these reliable external channels, businesses need to closely monitor linked systems, manage their suppliers, and put strong security measures in place.
Recent Trends in Salesforce Supply Chain Attacks
For example, in the Salesloft Drift–Salesforce Breach (UNC6395), hackers gained access to more than hundreds of Salesforce systems by taking advantage of OAuth tokens in the Drift interface.
Salesforce, the leading CRM platform, is widely used by businesses to handle corporate interactions, marketing campaigns, sales pipelines, and sensitive client data. Because of its large ecosystem, many third-party services and apps, including Drift, Salesloft, and other linked apps, may easily communicate with Salesforce accounts. Although operational efficiency is increased by this integration, possible security flaws are also introduced. By introducing malicious software or compromising the security of a third-party vendor, attackers might use this access to simultaneously breach several client accounts, effectively converting trusted tools into attack vectors.
How the Salesforce Supply Chain Attack Unfolded
The incident started in mid-2025 when a third-party vendor environment became compromised through reconnaissance. Between March and June 2025, threat actors were able to access Salesloft’s development assets and get the OAuth access/refresh tokens that the Salesloft–Drift integration uses. Instead of attempting to breach Salesforce’s core infrastructure, the attackers used these stolen tokens as their main credential to mimic the trusted integration.
Between August 8 and August 18, 2025, the attackers gained access to hundreds of Salesforce customer environments using the compromised tokens. They exported records using Salesforce’s Bulk API and ran structured SOQL queries, frequently erasing tasks afterwards to avoid detection. CRM records such contact information, case text, and account metadata were among the data that was exfiltrated; in certain cases, confidential passwords and cloud tokens that had an impact outside of Salesforce were also included.
Affected Companies & Data Compromised
| Affected Company / Victim | Primary Point of Attack (Supply Chain Link) | Compromised Data Type |
| Google | Malicious Connected App/Social Engineering (Data Loader replica) | Sales notes, client account information, and business contact details. |
Zscaler | Third-Party App Vulnerable (Salesloft Drift) | Product licensing information, some support case content, and business contact details (names, emails, phone numbers, and job titles). |
| TransUnion | Third-Party App Vulnerable (Salesloft Drift) (name of specific vendor not made public) | Millions of people’s names, addresses, and other non-credit-related personal information. |
| Allianz Life | Using malicious connected apps or social engineering | About 1.4 million clients’ contact details, policyholder information, and other private insurance information. |
| Qantas Airways | Using malicious connected apps or social engineering | Records related to customers, such as names, emails, details about loyalty programs, and, for some, phone numbers and addresses |
| Coca-Cola Europacific Partners (CCEP) | Using malicious connected apps or social engineering | 23 million records, including customer service cases, account information, and contact entries. |
| LVMH Brands (Louis Vuitton, Dior, Tiffany & Co.) | Using malicious connected apps or social engineering | Regional client databases that contain DOB (no financial information), purchase history, contact details, and customer name. |
| Workday | Using malicious connected apps or social engineering | Contact details for businesses, including names, phone numbers, and emails |
| Cloudflare | Vulnerability Third-Party App (Salesloft Drift) | Contact details for the customer and basic information about the support case (maybe including credentials or access tokens from help tickets). |
| Farmers Insurance | Third-Party Vendor (name of specific vendor not made public) | Names and maybe other personal identifiers belonging to more than a million customers. |
| Air France -KLM | Vulnerability Third-Party App (Salesloft Drift) | Names, emails, transaction details, and loyalty status are examples of customer service data. |
What did the GTIG report say?
The Google Threat Intelligence Group’s (GTIG) research claims that the Drift–Salesloft integration’s compromised OAuth tokens were the main means of committing the Salesforce supply chain breach. GTIG pointed out that without compromising Salesforce’s core infrastructure, the attackers, known as UNC6395, used these tokens to obtain illegal access to hundreds of Salesforce customer environments.
The research stressed that the attack was an obvious example of the increasing danger associated with third-party SaaS interfaces, where a single weak vendor can expose numerous enterprises to high levels of risk. In order to avoid such breaches, GTIG also advised that companies treat linked apps as primary attack points, use least-privilege access, impose multi-factor authentication, and keep watch out for odd API behavior.
The digital alarm : Implications for Business
The latest hack on Salesforce’s supply chain shows how connected software can pose significant security threats. Hackers utilized stolen OAuth tokens from a reliable third-party app in the Salesloft–Drift breach (UNC6395) to gain access to private information belonging to hundreds of businesses, including tech firms, luxury brands, airlines, and insurance agencies. Without gaining access to Salesforce itself, they were able to obtain internal tokens, support case data, and customer contact information.
This incident demonstrates that safeguarding the primary system alone is insufficient. Businesses must restrict access to third-party programs, keep an eye out for odd activity, react fast to problems, and verify the security of their vendors. Employee education is also crucial since hackers frequently exploit errors or inadequate authorization.All things considered, this hack serves as an important reminder that supply chain security is now crucial to protecting client and business data.
Preventive Measures: Strengthening the Supply Chain
Attacks on supply chains, such as the Salesloft–Drift–Salesforce breach, demonstrate that businesses must safeguard not only their internal systems but also the external apps and services they depend on. Businesses can decrease these risks by implementing a number of important steps:
Perform Comprehensive Vendor Assessments: Continually examine the security of apps, integrations, and third-party vendors. Verify that these partners don’t add vulnerabilities to your systems and follow strict security procedures.
Implement strong authentication procedures: Apply least privilege access, which limits users’ and apps’ access to only the permissions they actually require, and use multi-factor authentication (MFA) for all users and associated apps. This minimizes the harm in the event that credentials are taken.
Third-Party Integrations: Keep an eye on how third-party apps communicate with your systems at all times. Investigate right away if you see any odd behavior, such as unexpected data exports, persistently unsuccessful login attempts, or strange API activity.
Train Staff on Social Engineering Techniques: Employees are frequently tricked by attackers into granting access or accepting dangerous programs. Staff members can identify and stop these attacks with regular training on social engineering, phishing, and dubious links.
Create Incident Response Plans: Prepare a well-thought-out, tried-and-true strategy for handling security breaches. This entails locating compromised systems, removing compromised login credentials, alerting impacted parties, and promptly returning to regular operations.
By taking these steps, businesses can successfully enhance their defenses throughout the supply chain, decreasing the possibility of a breach and reducing its consequences in the event that one does happen. In today’s cloud-driven systems, protecting your own system is important but so is making sure that linked third-party technologies are secure.
FAQ’s
What part do rules play in stopping attacks on the supply chain?
Companies can lower supply chain risks by following data privacy laws like the CCPA and GDPR. According to these regulations, companies must carefully oversee and manage their contractors, make sure third-party apps adhere to security guidelines, conduct frequent audits, and safeguard client information. Organizations that adhere to these rules not only maintain compliance but also strengthen their defenses against attacks that can take advantage of flaws in connected apps or suppliers.
Can this have an impact on small businesses?
Yes, companies of any size can be the target of supply chain attacks. Businesses that depend on third-party software or vendors, even small and medium-sized ones, are at risk. Attackers gain access to private information by taking advantage of flaws in these reliable connections. As a result, small firms also need to monitor third-party access, put strong safety precautions in place, and train staff on possible risks.
How frequently should businesses conduct third-party vendor audits?
To guarantee security, businesses should conduct frequent and ongoing audits of their third-party contractors. System logs, access rights, vendor security policies, and standard compliance should all be examined during these audits. Regular and comprehensive inspections lower the risk of supply chain attacks, stop illegal access, and assist in finding weaknesses early. By remaining cautious, businesses can avoid becoming vulnerable targets for hackers.
