There have been a significant number of breaches involving Salesforce customer data within the past twelve months, with millions of records affected and customers impacted.
With customers like Grubhub, Loblaw, and Hallmark having been under attack earlier this year, the threat actors behind these breaches have made it clear that more is to come. It is evident that Salesforce customers have a security problem or two on their hands, but what do they need to do about it, and how can Salesforce help?
The Attacks That Keep Coming
In 2025, there were more than a dozen high-impact data breaches, with millions of customer records at risk or exposed. These records contained varying amounts of valuable data, including names, addresses, credit card numbers, and phone numbers.
Some of the most notable companies affected include Qantas, Chanel, Pandora, and even Google.
In the first few months of 2026, the breaches did not stall, with the earliest reported breach taking place in the second week of January, with US-based food delivery platform Grubhub as the victim.
Since then, Odido, Loblaw, Axios, Hallmark, and more have been affected by Salesforce-related data breaches, and the group behind most of them, ShinyHunters, has warned that the worst may yet to come.
With the clear message of “pay up or become the next headline”, ShinyHunters have been threatening companies with exposed data with ransom demands, and a report from Google Threat Intelligence in February outlined how the threat actors are now expanding to more cloud platforms and more sensitive data types.
Human Error Strikes Again
During this particular string of attacks, Salesforce has continuously claimed no fault. These breaches, according to the company, are not down to any “known vulnerability in [its] technology.”
Instead, these attacks have seemingly largely been due to overly permissive user and org settings, and, unfortunately, old-fashioned human error.
Voice phishing (vishing) has been used in a large number of attacks, encouraging Salesforce customers to download malicious apps or provide sensitive information over the phone. Believing that the threat actors were who they said they were on the phone, combined with a lack of appropriate internal security measures, created the perfect storm. Without knowing,
Salesforce customers were giving access to hacker groups – almost letting them in right through an open door.
Is Salesforce at Fault at All?
Although Salesforce does not directly comment on individual customer issues like these breaches, it has continuously insisted that they have not been a result of security vulnerabilities within the platform itself.
Ensuring appropriate security measures are followed is a mutual responsibility between Salesforce and its customers; this is something that is outlined in the Shared Responsibility Model. Essentially, Salesforce secures the infrastructure, while customers are responsible for protecting their own data, configurations, and access rights.
However, Salesforce has not been immune to criticism surrounding its security practices and decisions, with users and customers alike voicing concerns about measures brought in too late or a lack of emphasis on org security best practices.
“I’ve always felt like there has been a lack of emphasis and a lack of transparency with security and cybersecurity in Salesforce,” said Travis Dykstra, a Senior Salesforce Business Analyst. “Mandating MFA – that’s great. They were about five years late with that.
“There should be more of a security emphasis on identity access management, networking security, firewalling – I mean, that’s easily a third of the domain of knowledge in AWS, right? That’s what we need in Salesforce.”
When I asked Matt Meyers, a Salesforce security professional, whether or not he believed Salesforce offered enough support or guidance in this area, his answer was a resounding “no”.
“I don’t think there is enough,” he said. “Salesforce has been doing a lot to secure things now, but at the same time, they’re still pushing the messaging of ‘oh, we have the Trust Layer, it’s going to take care of everything for you.’ It doesn’t work like that.”
What Needs to Be Fixed?
So, with more hacks likely on the way, and threat actors beginning to feel more confident in their abilities, Salesforce customers – and Salesforce – find themselves at crunch time. Part of the work has already been done by Salesforce at this point, and needs to have been or be carried out by customers.
Earlier this year, it sent emails to ISVs detailing a set of new requirements that needed to be mandated by April 13, covering OAuth token updates and Connected App access.
This included:
- Requiring code changes to generate and validate PKCE (Proof Key for Code Exchange) parameters to eliminate authorization code interception attacks.
- Requiring code changes to store and use new refresh tokens after each exchange.
- Requiring code changes to manage frequent rotation or implement Heartbeat services for infrequent integrations.
- Requiring ISVs to adopt static IP ranges and submit allowlist requests via Salesforce Support.
- Requiring monitoring for suspicious activity in ISV environments; no code changes required, but to review alerts regularly.
Jakub Stefaniak, the Field CTO at Aquiva Labs, told me that he was unsure whether ISVs would actually be able to implement these changes in time.
“If you have your own development team, you can do it because the technique isn’t very complex,” he said. “But if you don’t have the developers, it’s going to be a huge problem.”
If not, every ISV has been able to implement these changes, we will likely see the aftermath in the coming months.
Aside from that, these breaches also throw into question the kind of org structure that Salesforce delivers to its customers. At present, in most cases, customers add necessary restrictions, permissions, and guardrails to their orgs as they go along, depending on their security and access needs.
However, in light of these ongoing issues, could it be worth it to throw that practice on its head, instead of giving customers tightly restricted orgs for them to open up as necessary? It is definitely something to consider.
Preparing for the Agentic Enterprise
If the risk of becoming the next breach victim wasn’t enough of a push to get on top of security measures, then securing your org ahead of implementing artificial intelligence should be.
AI – and Agentforce – is now officially being adopted. It is not just a pipe dream anymore, and business leaders are actively working through or considering AI strategies to scale.
However, with something as powerful as AI in your org comes its own unique set of challenges and responsibilities. Last year, an IBM report revealed that 13% of organizations reported breaches of AI models or applications, with 97% of which reported lacking proper AI access controls. Not only that, but only 49% of breached organizations said they planned to invest in security.
At the True to the Core Agentforce Deep Dive session at TrailblazerDX last week, I asked John Kucera, Salesforce’s SVP of Product Management, and his team whether they believed current and prospective Agentforce customers were really ready to implement the technology with the right level of security knowledge. The indication appeared to be that more learning could be done and more guidance could be given.
“There’s only one possible answer,” John said. “There’s never a finish line in security and trust, and there’s always more than Salesforce and its customers can do in order to have trusted, secure experiences.
“I think that there’s more that we need to do. There’s more education I’m sure we need to provide. Risks show up with every incremental enhancement, every new model, new framework, and new attack model.”
Final Thoughts
The most important thing to remember when it comes to any form of tech security is that it is a long game. There is always more to action, more to monitor, and more to tweak. Orgs are not secured overnight, and it is a business’s responsibility to make sure they are on top of the work.
Some Salesforce customers do indeed have a security problem, and it could be argued that Salesforce needs to do more on its end to educate its customers and its users. Either way, keeping in mind that org protection is a constant practice is key and will continue to be going forward.
