Over the past weeks, we’ve seen a frightening surge in social engineering attacks targeting Salesforce ecosystems- and the urgency couldn’t be higher.
Workday publicly confirmed it was breached in a vishing campaign, with attackers extracting business-only contact details via a third-party CRM platform– amid a broader wave of data theft affecting Salesforce-connected environments. The company promptly shut down access, but the signal is clear: no one is safe.
Even Google has now confirmed it fell victim in June to a breach of its Salesforce CRM instance. Basic SMB contact information was stolen during a narrow window before mitigation kicked in.
Salesforce itself had to break silence- issuing a statement. They urge admins to audit connected apps, enforce “least privilege,” enable MFA, restrict login IP ranges, and leverage Salesforce Shield’s event monitoring and threat-detection tools.
Allianz Life filed a data breach notification with attackers having gained access via a third-party CRM tied to Salesforce, impacting the majority of its U.S. customers. Exposed data includes personal and financial details; the company notified the FBI and is offering identity protection.
LVMH brands (Louis Vuitton, Dior, Tiffany & Co.) and Adidas disclosed incidents in late July linked to the same Salesforce-focused vishing campaign. Attackers tricked staff into approving malicious connected apps, enabling OAuth access and CRM data theft.
Coca-Cola (Middle East) revealed in May that ~1,000 employees had sensitive records stolen, including IDs and banking details. The breach involved Salesforce-integrated HR systems exploited through a spoofed connected app.
What’s Going Wrong? Why Now?
- Malicious connected apps masquerading as Data Loader or ticket portals are being added during vishing calls, enabling stealthy data exfiltration.
- Threat actors like ShinyHunters are evolving, combining credential harvesting, domain impersonation, and vishing. Security firms are warning that financial services and tech firms could be next.
This is where the Salesforce Shared Responsibility Model becomes crucial: Salesforce secures the platform, but protecting what you build and connect on top of it — apps, users, data flows — is your responsibility. Attackers are exploiting exactly this gap, and organizations that don’t close it are leaving themselves exposed.
Why This Must Be a Top Priority
- These attacks don’t just create downtime or IT headaches. They can trigger serious legal consequences, damage brand reputation, and erode customer trust in ways that are far harder to recover from than the initial breach itself.
- Security for your Salesforce org can no longer sit low on the priority list — it belongs at the top. Keeping your org safe isn’t just about compliance or passing audits, it’s about safeguarding your business’s future and the relationships you’ve worked hard to build.
DigitSec Is the Security Partner Organizations Need, NOW
At DigitSec, we help organizations see the hidden risk in their Salesforce environments before attackers do.
Here’s how DigitSec makes a difference:
- Proactive detection closing the window between attack and mitigation.
- Rigorous scanning of vulnerabilities from connected and 3rd party apps.
- Assistance with recommendations outlined by Salesforce to tackle this risk, and secure your environments.
Vishing attacks via malicious connected apps are rapidly escalating, impacting leading global companies. DigitSec offers that pre-emptive layer of defense you can’t afford to skip. Let’s connect: secure your Salesforce, and stay ahead of the next wave.
