Farmers Insurance has disclosed a data breach that has impacted 1.1M customers – with the attack reportedly linked to the ongoing Salesforce customer social engineering campaign.
The company said that its investigation found that the names, addresses, dates of birth, driver’s license numbers, and/or last four digits of Social Security numbers of customers were stolen in the incident, according to BleepingComputer.
At the time of writing, 4.37AM EST (9.37AM UK time), the US-based insurance giant’s website, farmers.com, was unavailable, but reports say the company had disclosed the incident in an advisory saying that its database at a third-party vendor had been breached on May 29, 2025.
The name of the third-party vendor was not disclosed, but BleepingComputer is linking the incident to the widespread Salesforce data theft attacks, which have affected a number of big-name businesses.
The well-known hacking group ShinyHunters, aka UNC6240, has been said to be behind the wave of social engineering attacks. Many businesses affected by incidents that bear the hallmarks of the campaign do not name Salesforce directly, instead opting for phrasing like “third-party CRM”. Subsequent reporting often reveals the incidents to be Salesforce-related, though the cloud giant has said that its own platform has not been compromised.
SF Ben note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help.
Farmers Insurance Hacked
Data Breach Notifications, shared with the Maine Attorney General’s Office, reveal that more than 1.1M customers have been impacted by the Farmers Insurance incident.
Farmers Insurance, which provides home, life, and car insurance, reportedly said in its data breach notification: “On May 30, 2025, one of Farmers’ third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor’s databases containing Farmers’ customer information (the “Incident”).
“The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the Incident and notified appropriate law enforcement authorities.”
The company, which operates through a network of subsidiaries, serves more than 10M households across the United States.
Salesforce Data Theft Campaign
While details of the precise nature of the Farmers Insurance incident are currently scarce, as it has only just been revealed, an “unauthorized actor” accessing a database containing customer information appears to point towards the ongoing Salesforce social engineering attacks.
Adidas, Chanel, Google, and Workday are reported to be among those targeted in the campaign.
In an advisory statement published on August 7, Salesforce stressed that its own platform had not been compromised, and the issue was “not due to any known vulnerability” in its technology.
Nearly two weeks later, Salesforce Ben reported how the cloud giant was strengthening security measures around the use of connected apps. This appeared to be direct countermeasures against the social engineering attacks, which involve victims downloading a malicious replica of Data Loader.
In a blog post titled ‘Prepare for Connected App Usage Restrictions Change’, published on August 18, Salesforce said it would be restricting the use of “uninstalled connected apps”, blocking end users from using them.
The update will disable non-admin users from authorizing newly uninstalled connected apps.
As we wrote when the new countermeasures were revealed: “Salesforce has made clear that their own platform is not the issue, but nonetheless it is their customers who are being targeted in these attacks, so it makes sense they are taking measures to protect them.
“These mitigations are welcome. But this doesn’t change any of the exposure to phishing or social engineering. Should an admin – or any user with necessary permissions – be convinced by an external actor to enter their credentials and authorize a connected application, the fundamental risk is no different, so admins and org owners should be trained to look for these attacks going forward.”
A spokesperson told Salesforce Ben: “At Farmers®, protecting our customers’ information is our top priority. We recently discovered that an unauthorized third party briefly accessed a vendor’s system that contained some Farmers’ customer information. The incident involved only limited information from certain customers. An investigation conducted with both internal and external security experts found no evidence that the exposed data has been misused, nor any indication that Farmers’ own systems were compromised. We are contacting affected individuals directly and are providing support resources, including complimentary credit monitoring.”
Final Thoughts
The ongoing campaign of data theft incidents is hardly encouraging news for those of us in the Salesforce ecosystem.
The cloud giant appears to be doing all it can to strengthen security amid the breaches, but, from what we know so far, the social engineering incidents are succeeding primarily due to human error, not any particular vulnerability from the Salesforce platform, so there’s only so much the mothership can do to help.
Stay tuned to Salesforce Ben for more news about the social engineering campaign.
