In The Event Of
Get started free
S

Salesforce Vishing Campaign 2025:
What You Need to Know

Throughout 2025, attackers from ShinyHunters and Scattered Spider tricked customer-support staff at dozens of Salesforce customer companies into resetting MFA tokens, gaining access to CRM data, support cases and embedded credentials. The aggregate impact across all victims is estimated at over one billion records.

Campaign peak:Q2 to Q3 2025
Aggregate records:~1 billion
Risk level:High

Your personal risk from this breach

Sign in or create a free account to see your personalised risk score.

View My Risk

What Happened

How the Salesforce Vishing Campaign Unfolded

Early 2025

Operators linked to ShinyHunters and Scattered Spider begin a coordinated vishing (voice phishing) campaign targeting customer-support and helpdesk staff at major Salesforce customer companies, typically impersonating an internal employee with an urgent need to reset multi-factor authentication.

April to June 2025

First confirmed victims emerge across aviation, retail, insurance and HR-SaaS sectors. Stolen Salesforce tenant data is published on leak sites or used to extort the affected companies.

2 July 2025

Qantas publicly discloses its Salesforce-tenant compromise linked to this campaign, affecting approximately 5.7 million customer records.

Qantas was an early high-profile disclosure that helped researchers connect previously isolated incidents into a single coordinated campaign.

16 July 2025

Allianz Life confirms approximately 2.8 million records stolen via the same vishing-and-MFA-reset pattern.

August 2025

Workday, Cloudflare, and dozens of other companies disclose related incidents. Salesforce publishes hardening guidance for customer administrators, including stricter helpdesk identity-verification requirements.

Q3 to Q4 2025

The operation continues with new victims surfacing across multiple sectors. Aggregate impact across all known victims is estimated at over one billion records.

Sources: Salesforce Ben campaign roundup, Google Cloud Threat Intelligence

What Was Exposed

Personal Data Leaked Across Victim Tenants

The exact dataset varies per victim because each company holds different fields in its own Salesforce tenant. The list below describes the common pattern observed across publicly disclosed victims: customer and employee contact records, support case contents, and account metadata.

Data TypeRisk LevelWho Was Affected
Full nameHighCustomer and employee contacts from victim CRMs
Email addressHighCustomer and employee contacts from victim CRMs
Phone numberHighCustomer and employee contacts from victim CRMs
Business contact dataMediumJob titles, employer, account ownership data
Support case contentsMediumIncluding any embedded credentials, API keys, or secrets
Customer account metadataLowOpportunity stage, plan tier, internal notes

Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Identity-linked data (name, email, phone) is rated higher due to its use in targeted phishing and social engineering.

✅ Confirmed NOT Exposed

Salesforce's core multi-tenant infrastructure was not breached. Passwords are stored hashed at Salesforce and were not in the stolen dataset. The attackers obtained legitimate authenticated sessions through social engineering of helpdesk staff rather than through credential theft or a platform-level vulnerability.

Company Response

What Salesforce Did

“The Salesforce platform was not compromised. These incidents involved social engineering of customer personnel to obtain valid credentials, and they affect only the customer tenants involved.”
Salesforce security advisory, 2025

Actions Taken by Salesforce

  • Published hardening guidance for customer administrators, including phishing-resistant MFA enforcement
  • Introduced stricter helpdesk identity-verification requirements for customer tenants
  • Expanded security operations centre (SOC) capabilities and detection rules for anomalous tenant access
  • Coordinated with law enforcement on attribution and investigation
  • Notified affected customer admin contacts and provided incident-response support
  • Recommended customers audit support case contents for any embedded credentials, API keys or secrets and rotate them
Salesforce Security AdvisoryCampaign Roundup (Salesforce Ben)

What Now?

Steps You Can Take After the Salesforce Campaign

The combination of name email phone number and business context from a CRM record gives attackers everything they need to craft very convincing targeted phishing and vishing follow-ups. The steps below are organised by the kinds of accounts and habits most relevant to this campaign.

Salesforce Customer and SaaS B2B Accounts

If you administer or use a Salesforce tenant (or any connected B2B SaaS) review access carefully.

Audit recent support-case access in your Salesforce tenant

~30 min
Administrators should review login history, recent support case access, and any newly enrolled MFA devices for the past 90 days. Pay particular attention to logins immediately following a helpdesk-initiated MFA reset. Rotate any credentials, API keys or secrets that may have been pasted into support cases.
Salesforce admin login history

Review connected B2B SaaS accounts

The same attackers have been observed pivoting through connected services. Review access to Salesloft, HubSpot, Workday, business email and any OAuth integrations connected to your Salesforce tenant. Remove dormant integrations and rotate OAuth tokens where reasonable.

Email and Digital Identity

If your contact details sat inside a victim's CRM, expect targeted phishing.

Strengthen email security

~5 min
Updating the password and enabling MFA on the email account associated with any business contact data is widely recommended. It is also worth checking email forwarding rules and connected app permissions, as these are common follow-on targets after a CRM compromise.

Understand your full account exposure

Most people have dozens of online accounts linked to a single email. When that email appears in a CRM dataset like this one, understanding which services it is connected to is a critical first step in assessing personal risk. Tools that map your digital footprint can help identify accounts that may need attention.

Vishing-resistance Hygiene

The lesson of this campaign is that voice phishing of helpdesks is highly effective. Build habits that defeat it.

Never reset MFA based on a phone call alone

~5 min
Train teams (and yourself) to verify caller identity through a separate, known-good channel before performing any MFA reset or password change, even if the caller sounds legitimate, knows internal details, and is in a hurry. The attackers in this campaign frequently used both.

Move to FIDO2 hardware keys where you can

~20 min
Phishing-resistant MFA based on FIDO2 hardware keys (such as YubiKeys) cannot be reset by a helpdesk in the same way a TOTP app or SMS code can. For administrator accounts on Salesforce and other B2B SaaS, this is the single most effective control against this attack pattern.

Establish a known-good challenge with your team or helpdesk

A simple agreed challenge phrase, callback procedure, or out-of-band verification step (for example, a callback to a phone number from your HR system rather than the one the caller provided) is enough to defeat most vishing attempts. Document it and rehearse it.

Monitoring and Reporting

Resources for breach response and incident reporting across jurisdictions.

Stay alert for targeted phishing and vishing

Exposed name email phone and employer may be combined into very convincing follow-on messages, including fake renewal notices, fake support calls, and fake invoices. Verify any unsolicited contact through a separately-sourced channel.

Report to the relevant authority for your region

In Australia, contact IDCare (1800 595 160), the national identity and cyber support service. Affected EU residents can report to their national data protection authority under GDPR; in the US, the FTC and state attorneys general accept identity-theft reports. Issues that involve a specific Salesforce tenant should also be reported to that tenant's operator and, if needed, to Salesforce via the Salesforce help centre.

Not sure which of your accounts are affected?

In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.

Check My Email Free

Are You Still at Risk?

The Hidden Danger: Compound Breach Exposure

The Salesforce vishing campaign did not affect a single company; it affected dozens of them. If your email or business contact data appears in multiple victim tenants, attackers can build a richer profile than any single breach would allow.

How breach data compounds across this campaign

A single victim tenant may have exposed your name and email. But if you are also a customer or counter-party of multiple affected companies (for example an airline, an insurer, and a HR-SaaS), the combined view of your data across those tenants paints a far more complete picture of your identity and habits.

  • Qantas (2025)5.7M records - same campaign, Salesforce CRM via vishing
  • Allianz Life (2025)2.8M records - same campaign, MFA reset via helpdesk
  • Workday (2025)Salesforce CRM compromise via the same vishing pattern
  • Salesloft Drift (2025)700K records - OAuth supply-chain compromise of Salesforce tenants

If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

Salesforce Vishing Campaign FAQ

Sources

  1. Salesforce Ben: Salesforce data theft roundup - everything you need to know
  2. Salesforce Help: Security advisories and customer hardening guidance
  3. Google Cloud Threat Intelligence: Data theft from Salesforce instances via Salesloft Drift
  4. OAIC: Notifiable Data Breaches scheme
  5. IDCare: Australia's national identity and cyber support service
  6. OAIC: What is personal information? (Privacy Act 1988 categories)

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

NYC Health + Hospitals Data Breach 2026

~1.8M records exposed

Critical

Australian Courts Data Breach 2026

Thousands of files records exposed

Critical

youX Data Breach 2026

~444K records exposed

High

Prosura Data Breach 2026

300K-500K records exposed

High

Canvas (Instructure) Data Breach 2026

~275M (claimed) records exposed

Medium

Booking.com Data Breach 2026

Undisclosed records exposed

High

McGraw Hill Data Breach 2026

13.5M records exposed

High

Crunchyroll Data Breach 2026

Undisclosed records exposed

High

Eurail Data Breach 2026

300K+ records exposed

High

Basic-Fit Data Breach 2026

1M records exposed

High

Under Armour Data Breach 2025

72M records exposed

High

Allianz Life Data Breach 2025

2.8M records exposed

High

Workday Data Breach 2025

Undisclosed records exposed

Medium

Western Sydney University Data Breach 2025

10K records exposed

High

Genea Fertility Data Breach 2025

940K records exposed

Critical

DeepSeek Data Breach 2025

1M records exposed

Medium

Tangerine Telecom Data Breach 2024

232K records exposed

High

Australian Clinical Labs Data Breach 2022

223K records exposed

Critical

Qantas Data Breach 2025

5.7M records exposed

High

Optus Data Breach 2022

9.8M records exposed

Critical

Medibank Data Breach 2022

9.7M records exposed

Critical

Latitude Financial Data Breach 2023

14M records exposed

Critical

MyDeal (Woolworths) Data Breach 2022

2.2M records exposed

High
View all breach guides →

Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Salesforce, Inc. or with any of the companies named as victims of this campaign. If you believe you have been affected by these incidents, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.