Large companies including Google and Dior hit by massive Salesforce data breach

You may have noticed that in recent months, many companies have revealed data breaches, including Google, Dior, and Allianz, and one name that came up in the most cases was Salesforce. The hackers did not breach company networks directly or exploit vulnerabilities in Salesforce’s core software. Instead, they targeted the tools and the people around them by tricking employees into granting access, compromising third-party apps, and abusing overly broad permissions.

Once inside, they siphoned sensitive data from Salesforce environments on an unprecedented scale. Nearly a billion records were stolen from dozens of organizations, and now cybercriminals are extorting victims by threatening to release the data unless hefty ransoms are paid. Let’s take a closer look at the recent Salesforce incidents and why it’s so important.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams. — free when you join me CYBERGUY.COM/NEWSLETTER

STELLANTIS, FATHER OF JEEP AND CHRYSLER, CONFIRMS DATA BREACH

Why Salesforce is the perfect target

Salesforce is not just another cloud platform. It is the backbone of how thousands of companies manage relationships with their customers. The platform powers everything from sales pipelines and marketing campaigns to support tickets and partner communications. Banks use it to track customer accounts, airlines rely on it to manage frequent flyer programs, and retailers store customer purchase histories and loyalty data on it. In many organizations, Salesforce sits at the center of daily operations, acting as a single system that touches sensitive information across all departments.

That is why the magnitude of these violations is so significant. A successful attack on a Salesforce instance becomes a window into a company’s customers, business strategy, and internal processes. For cybercriminals, the potential benefit is enormous, and recent incidents have shown just how much damage they can cause without even breaking into a company’s main network.

The breaches affected companies across all sectors, from Adidas and Allianz to Qantas, Google and Pandora Jewelry. Attackers often use voice phishing calls or realistic fake applications to manipulate Salesforce administrators into installing malware. This allowed them to steal OAuth tokens and query data directly from CRM systems, a technique linked to groups like ShinyHunters.

Other attacks originated from compromised third-party integrations. One of the most damaging involved a chatbot tool called Drift, where stolen tokens gave attackers access to Salesforce instances at hundreds of companies.

The consequences were enormous. Coca-Cola’s European division lost more than 23 million CRM records, while Farmers Insurance and Allianz Life reported breaches affecting more than one million customers each. Even Google admitted that attackers accessed a Salesforce database used to generate advertising.

TRANSUNION BECOMES THE LATEST VICTIM OF A MAJOR WAVE OF CYBER ATTACKS LINKED TO SALESFORCE, 4.4 MILLION AMERICANS AFFECTED

Exploit weak links in the ecosystem

It’s hard to get through firewalls or exploit technical vulnerabilities, but it’s much easier to manipulate people. Attackers have realized this and are now focusing their efforts on human behavior and the less protected edges of cloud ecosystems. Employees with administrative privileges were often tricked into authorizing malicious apps, while default permission settings allowed those apps to operate undetected.

Once they obtained the data, the hackers didn’t simply try to sell it. They used it as leverage. Earlier this month, a loosely organized cybercrime group known by names like Lapsus$, Scattered Spider and ShinyHunters launched a site dedicated to data breaches on the dark web, threatening to publish sensitive information unless victims paid a ransom.

As reported, the site is designed to pressure companies to pay to prevent stolen data from becoming public. “Contact us to regain control of your data management and prevent public disclosure,” reads a message on the site. “Don’t be the next headline. All communications require strict verification and will be handled with discretion.”

The leak site lists several alleged victims, including FedEx, Hulu (owned by Disney), and Toyota Motors. It is also unclear whether some of the organizations known to have been breached but not listed on the site have paid ransoms to prevent their data from being disclosed.

FARMERS’ INSURANCE DATA BREACH EXPOSES 1.1M AMERICANS

Salesforce’s response

Salesforce told Cyberguy that it is “aware of recent extortion attempts by threat actors” and will not participate in, negotiate with, or pay any extortion demands. A company spokesperson provided the following statement:

“We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with third-party authorities and experts. Our findings indicate that these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any vulnerabilities known in our technology.”

6 steps you can take to protect your data

You might think that a breach like this is a business problem, something that needs to be addressed by IT teams and cybersecurity experts. However, when attackers gain access to platforms like Salesforce, the data they seek is typically not the company’s own. It’s yours. Your contact details, purchase history, support tickets, and even private conversations can end up in the wrong hands. And once that happens, the risks are not limited to a single company. That’s why it’s worth taking some proactive steps now, even if the company hasn’t contacted you yet about an incident.

1) Lock your accounts now

If you have interacted with any of the companies mentioned in the breach, or suspect your data might be part of it, change your passwords for those services immediately. Better yet, use a password manager to generate strong, unique passwords for each site. A good tool will also alert you if any of your credentials appear in future data breaches.

Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

2) Activate two-factor authentication

Even if your password is stolen, two-factor authentication (2FA) adds a crucial additional layer of security. Enable it for your email, banking apps, cloud storage, and any service that offers it. It’s one of the easiest ways to prevent attackers from taking over your accounts with stolen credentials.

3) Use a personal data deletion service

Even if your data was part of a breach, you can still limit the amount that circulates online. Personal data removal services scan and remove your personal information from data broker websites that sell or share your data without consent. These brokers often exchange names, addresses, phone numbers, and even purchase histories—the same type of data leaked in Salesforce-related breaches.

By removing your records from these public databases, you make it much more difficult for scammers, identity thieves, and marketers to find or misuse your information. Many services, like Incogni, handle the entire opt-out process automatically and continue monitoring to ensure your data remains deleted.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

4) Detect and stop targeted phishing attacks

Attackers who have CRM data typically know more about you than a typical scammer. They may reference previous purchases, support cases, or other personal information to make their messages appear legitimate. Treat unexpected emails, text messages or phone calls with suspicion, especially if they involve links or requests for payment.

The best way to protect yourself from malicious links is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

5) Use identity tracking tools

Data breaches do not always result in immediate damage. Sometimes criminals store stolen data for months before using it. These services can continually monitor the dark web for your personal information. rsonal and notify you if your data appears in new leaks. That gives you time to act before problems worsen.

Identity theft companies can monitor personal information such as your Social Security number (SSN), phone number, and email address, and alert you if it is sold on the dark web or used to open an account. They can also help you freeze your bank and credit card accounts to prevent further unauthorized use by criminals.

See my tips and best options on how to protect yourself from identity theft at Cyberguy.com.

6) Know your rights

If you believe your data was exposed, companies are legally required in most regions to inform you. Don’t hesitate to contact them directly and ask them for details about what was stolen and what steps they are taking to protect affected customers. The more pressure users apply, the more likely companies will be to tighten security practices.

CLICK HERE TO GET THE News APP

Kurt’s Key Takeaway

Attackers can expose your personal data even if you are careful. They gain access to corporate cloud environments and can view customer names, emails, purchase histories, and other sensitive details. For users, this means that it is essential to stay alert. Criminal groups use this stolen information to launch targeted phishing attacks, open fake accounts, or impersonate you elsewhere. Some even cross-reference leaked Salesforce data with information from previous breaches to create disturbingly complete profiles of their victims.

Should companies face stricter penalties when sensitive customer data is stolen? Let us know by writing to us at Cyberguy.com.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts and exclusions. Various offers sent directly to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams. — free when you join me CYBERGUY.COM information sheet.

Copyright 2025 CyberGuy.com. All rights reserved.