Commonwealth Sentinel

Cyber Security

You are here: Home / Blog / Salesforce Hack and the Hidden Dangers of Connected Apps

Salesforce Hack and the Hidden Dangers of Connected Apps

Blog / by

Article Read Time

1158
Words
4 min
Read Time
Salesforce Hack

In 2025, the Salesforce hack affected many organizations that use Salesforce (a popular customer relationship management platform). Even though the platform itself wasn’t broken via a direct software flaw, attackers abused the “plumbing” of how these systems connect. The result: large amounts of data stolen, vendor chains exposed, and ripple effects that can affect businesses and individuals, even those who never log in to Salesforce.

What is Salesforce anyway?

Salesforce is a cloud-based software system used by both businesses and government agencies to manage things like:

  • Customer contact information
  • Sales leads and deals
  • Support tickets and service cases
  • Marketing and outreach lists
    Because it stores lots of personal, business, and workflow data, it is a high-value target.

Private-sector companies (retailers, service firms, software companies) use Salesforce to track customers and sales. Public-sector organisations may use it to track citizens, manage permits, case work, and constituent services. Because of this wide use, a breach in one organisation can affect many people.

What happened in the Salesforce Hack?

Here is a simplified breakdown of the Salesforce hack:

  • The attackers did not exploit a bug in Salesforce’s core system. Instead, they used compromised integrations (third-party apps connected to Salesforce) and stolen tokens (see below) to gain access.
  • Specifically, a popular integration between Salesforce and another vendor (via the Drift/Salesloft app) had its connection tokens stolen. That allowed the attackers to log into many Salesforce customer accounts as if they were legitimate users.
  • Once inside, the attackers exported significant volumes of data (accounts, contacts, cases, users) and searched through them for secrets (cloud credentials, API keys, passwords) that could be used for further attacks.
  • Because these tokens worked like “already-logged-in” credentials, the attackers could bypass many regular security prompts (such as passwords and multi-factor authentication).

What is an “OAuth token” and why does it matter?

Since that term comes up in the Salesforce hack, here’s a plain-language explanation:

  • OAuth (Open Authorization) is a standard that allows one application to be granted permission to act on behalf of a user in another system, without requiring the user’s password.
  • For example, you use a photo app and click “Sign in with Google” or “Connect to Facebook”—that is often powered by OAuth. The app gets a special “token” that says, “Yes, this app has your permission to access certain data.”
  • An OAuth token is like a gate pass. It tells the system, “this app is allowed to do X on behalf of a user.” Once issued, the token can be used repeatedly until it expires or is revoked.
  • If an attacker steals a valid OAuth token, they essentially have the same rights as the app that was granted permission — they don’t need the user’s password. Typical security checks (like asking for a second factor) may not trigger. In the Salesforce hack, that is precisely how access was gained at scale.
  • Because many integrations are long-lived (they’re set up once and run for months or years), the stolen token often gave “persistent access” until it was noticed and revoked.

How you could be impacted by the Salesforce hack even if your organization doesn’t use it.

You might think, “But we don’t use Salesforce, so we’re safe.” That’s not necessarily the case. Here’s why you may still be affected:

  • Your vendor or partner uses Salesforce. If a company you do business with stores your data (contact details, invoices, support records) in Salesforce, and they got breached, your data might be part of the exposed set.
  • Third-party integrations ripple outward. The attack was enabled via a third-party app (Drift/Salesloft) used by Salesforce customers. If you work with a company that uses Salesforce alongside other systems (cloud services, marketing tools, support tools), a breach at one link could affect your downstream systems.
  • Credentials or secrets you use may have been stored in a compromised environment. It’s common (though not ideal) for companies to store internal credentials, cloud keys, or API tokens in CRM systems for convenience. If those systems were accessed, the attacker could leverage those to reach more systems—including systems you interact with indirectly.
  • Phishing & fraud risk increases. Even if your organisation’s direct systems were unaffected, stolen contact data (emails, phone numbers) can be used by criminals to launch convincingly targeted phishing, spoofed support calls, or voice-phishing (vishing) campaigns against your staff, customers, or vendors.

How can you check whether you might be affected?

Here are steps you or your organisation can take to find out whether this hack touches you:

  1. Ask your vendors/partners. Reach out to any organisation you deal with (suppliers, service providers, cloud-partners) and ask:
    • Do you use Salesforce (or integrate with it)?
    • Have you received any breach notification related to Salesforce or the Salesloft/Drift integration?
    • Have you reviewed your connected apps and tokens recently?
  2. Check for notifications. Organisations affected by the breach have been publicly disclosing or issuing alerts. Look for any vendor notices or public statements relevant to your supply chain.
  3. Monitor for unusual activity. Keep an eye out internally for unusual login attempts, mass data downloads (if you have access), new connected apps being added, or large transfers from systems you engage with.
  4. Check your own contact data. You can use free services (like “Have I Been Pwned?”) to see whether your email addresses or domain have appeared in known leaks. If they have, treat it as a red flag.

What you should do (or ask your vendors to do)

  • Review which third-party apps are connected to key business systems (especially CRM, marketing tools, cloud services).
  • Revoke and rotate tokens, credentials, and API keys, especially if they may have been stored in or managed from compromised systems.
  • Use multi-factor authentication (MFA) everywhere possible. Although this token attack bypassed traditional MFA, having MFA is still better than nothing.
  • Limit permissions of connected apps only grant the minimum access necessary.
  • Educate staff and partners about phishing and social-engineering risks. Attackers often use stolen data to craft very convincing scams.

The Salesforce-related hack shows how trust and connectivity in modern business systems can become vulnerabilities. Even if you never log into Salesforce, your data, your vendors, or your business processes might still be affected by what happens upstream in the software chain. The critical takeaway: ask the questions, check your connections, and treat your application, integration, and token supply chain as part of your risk landscape.

Commonwealth Sentinel will help you face your organization’s growing cyber security threats.  We can assess your existing IT security and collaborate with your team to safeguard your data and assets. At Commonwealth Sentinel, we stay focused on cyber security so you can focus on other things. Contact us today or sign up for a free consultation.

 At Commonwealth Sentinel, we are focused on cyber security so that you can focus on other things. 

More Content

Just because…


Sign up for a FREE, no obligation, Cyber Security Consultation for your organinization!