Mass Salesforce Hacks: How Criminals Are Targeting the Cloud Supply Chain

A wave of coordinated cyberattacks has hit Salesforce customers across industries and continents, compromising millions of records from some of the world’s most recognized brands — including Google, Allianz Life, Qantas, LVMH, and even government agencies. 

In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin break down how the attackers pulled off one of the most sweeping cloud compromise campaigns in recent memory — using no zero-day exploits, just convincing phone calls, malicious connected apps, and gaps in cloud supply chain security. 

We’ll explore the attack timeline, parallels to the Snowflake breaches, ties to the Scattered Spider crew, and the lessons security leaders need to act on right now. 

 

Key Takeaways 

1. Use phishing-resistant MFA — FIDO2 keys, passkeys. 

1. Train for vishing resistance — simulate phone-based social engineering. 

1. Monitor for abnormal data exports from SaaS platforms. 

1. Lockdown your Salesforce platform — vet and limit connected apps. 

1. Rehearse rapid containment — revoke OAuth tokens, disable accounts fast. 

 

References 

• Google - The Cost of a Call: From Voice Phishing to Data Extortion  

• Salesforce – Protect Your Salesforce Environment from Social Engineering Threats 

• BleepingComputer – ShinyHunters behind Salesforce data theft at Qantas, Allianz Life, LVMH 

• TechRadar – Google says hackers stole some of its data following Salesforce breach 

• LMG Security Blog – Our Q3 2024 Top Control is Third Party Risk Management: Lessons from the CrowdStrike Outage