Attackers abused a trusted connected‑app to siphon CRM data at scale. Here’s the plain‑English version—and what you can do today.
TL;DR (At‑a‑Glance)
-
Attackers have leveraged a connected app and stolen OAuth tokens to mass‑export CRM records (contacts, case notes).
OAuth token abuse • Connected apps in Salesforce -
Platform not directly hacked; access flowed through a third‑party integration (classic SaaS supply‑chain pattern).
SaaS supply‑chain risk -
Credential‑hunting: attackers scanned stolen case text for API keys and secrets to pivot further.
Secret discovery in tickets -
Wealthsimple: breach in same timeframe but unrelated to the Salesforce campaign.
Wealthsimple breach unrelated -
DO THIS NOW: enable 2FA, rotate reused passwords, beware targeted phishing, review/revoke stale app permissions.
📰 A trusted CRM add‑on became a super‑highway for data theft, proving that in the cloud era your biggest risk may be someone else’s software.
In late summer 2025, attackers abused a Salesforce‑connected app to export support and sales data from many organizations. This guide explains the timeline, who’s affected, how it worked, what investigators have done, how Wealthsimple’s incident differs, and what readers can do right now to reduce harm.
Table of Contents
🗂️ What Happened (in Plain English)
-
“Salesforce” is a CRM where companies store customer and support data.
📘 What is a CRM? CRM stands for Customer Relationship Management and refers to the strategies, practices, and technologies businesses use to manage and analyze customer interactions and data throughout the entire customer lifecycle. -
Many companies plug in third‑party tools (chatbots, email add‑ons) using OAuth to grant access without passwords.
🔑 How OAuth works: OAuth is an authorization framework that allows a user to grant a third-party application limited access to their data on another service without sharing their credentials. It works by using access tokens, which are temporary credentials issued by an authorization server after the user approves the request, allowing the client application to access specific resources on the user’s behalf. -
Attackers obtained valid OAuth tokens from a popular app (Drift) and used them to bulk‑download Salesforce data from many customers.
🚰 Bulk export via APIs: Bulk export via API refers to the process of programmatically extracting large volumes of data from a system or application using its Application Programming Interface (API). This method is designed for efficiency when dealing with substantial datasets, often involving thousands or even millions of records.
🗓️ Timeline (last ~60 days)
-
Week 1–2: Suspicious bulk exports begin from the connected app.
-
Week 2–3: Vendor disables the integration; tokens revoked platform‑wide.
-
Week 3–4: Coordinated advisories from cloud/security vendors; customer notifications start.
-
Week 4–8: Organizations publish incident notes; forensics indicate credential‑hunting in stolen case text.
🗞️ Salesforce Security Advisories
👥 Who’s Affected?
-
Organizations using the specific connected app integration with broad read scopes to CRM data. The current estimate at the time of writing is 700 companies globally.
-
Individuals whose contact details and support case text reside in those CRMs (customers, partners, employees). The current estimate at the time of writing is 2.55 million clients’ information has been compromised.
-
Elevated risk for anyone who shared passwords/API keys in support tickets (never do this!).
🧯 What Data Was at Risk?
-
Likely: names, emails, job titles, company names, case IDs, case text, internal comments.
-
Sometimes (problematic): embedded API keys, credentials, logs pasted into tickets.
What You Should Do (Individuals)
-
Turn on 2FA for email, banking, investing apps; prefer authenticator apps over SMS.
Enable 2FA guides for Android/Google, for iPhone/iPad, Microsoft -
Change passwords (unique per site); update any reused ones; adopt a password manager.
Password manager comparisons -
Be alert for targeted phishing referencing past support issues; verify via official channels.
Spear‑phishing red flags are often include urgent or threatening language, requests for private data, unusual links or attachments, poor grammar/spelling, suspicious sender details, and unprofessional design or tone inconsistent with the supposed sender. -
Review and revoke unused connected apps in your Google/Microsoft/other accounts.
Review connected apps—how‑to -
If you shared sensitive info in tickets, rotate API keys, reset passwords, and consider credit monitoring if PII exposure is suspected.
Credit monitoring options
🧱 What Small/Medium Orgs Should Do (Quick Wins)
-
Containment
-
Revoke OAuth tokens for the affected integration; disable the app; rotate secrets.
🧰 Salesforce token revocation
-
-
Hardening
-
Enforce least‑privilege scopes; require short‑lived tokens; restrict by IP allowlists.
🔒 Least privilege for OAuth -
Turn on anomalous Bulk API download alerts and Data Loss Prevention checks for secrets.
📈 Detect bulk exports: To “detect bulk exports,” you must first define what kind of data you are working with, as the process varies significantly by system. You’ll need to consult the specific platform’s documentation for instructions on monitoring ongoing or past bulk export operations, which often involve checking status pages, logs, or using API calls to get real-time updates.
-
-
Process
-
Ban secrets in tickets; provide a secure drop for sensitive shares.
📜 Secure secret exchange patterns -
Add vendor risk checks for connected apps; require incident‑response SLAs.
🧾 SaaS vendor risk checklist
-
Appendix: Editor Checklists
Individuals
-
Turn on 2FA for email, finance, work apps.
-
Change any reused passwords; adopt a password manager.
-
Delete or revoke unused connected apps.
-
Watch for phishing that references real support cases.
-
If you shared secrets in tickets, rotate keys and update passwords.
Organizations
-
Revoke affected OAuth tokens; disable the app; rotate secrets/keys.
-
Enforce least‑privilege scopes; shorten token lifetimes; set IP allowlists.
-
Alert on Bulk API anomalies; enable DLP for secrets in case fields.
-
Ban secrets in tickets; provide a secure drop channel.
-
Add vendor risk gating for new connected apps; require security SLAs.
-
Communicate clearly to customers; publish an incident FAQ and timeline.
