The latest wave of cyberattacks shows how trust in everyday tools can be misused. This time, the focus is on Salesforce - one of the most widely used customer relationship management (CRM) platforms in the world.

Over the past few months, a threat group known as ShinyHunters has been running a social engineering campaign that exploits Salesforce’s own features to facilitate data theft. The result: breaches at some of the world’s most recognized companies, including Google, Adidas, Chanel, Allianz Life, Qantas, and LVMH brands.

How the Salesforce “Data Loader” Scam Works

Salesforce offers a legitimate tool called Data Loader, used by businesses to bulk import and export data. Attackers built a malicious look-alike app and convinced employees to connect it to their company’s Salesforce account.

Here’s the chain in simple steps:

• Vishing Call: An employee receives a phone call from someone impersonating IT support or Salesforce.

• 8-Digit Code: The caller guides the employee to enter a one-time code, which authorizes what appears to be a support app.

• Backdoor Access: In reality, the employee has just approved a rogue Salesforce-connected app, giving attackers direct API-level access.

• Data Theft: Attackers query Salesforce and quietly exfiltrate contact lists, client records, sales data, and internal notes.

Confirmed Breaches and Their Impact

Google: In June 2025, Google itself became one of the confirmed victims of the Salesforce Data Loader scam. The attack unfolded through a convincing voice call, where an employee was guided step by step into approving what seemed like a legitimate Salesforce tool. In reality, the approval connected a malicious app straight into Google’s CRM system. Within that short window of access, attackers pulled contact details and notes tied to Google’s small and medium business clients. While no passwords or financial records were exposed, the stolen information carried significant weight: names, emails, and phone numbers that could be turned into highly targeted phishing campaigns.

Adidas: In June 2025, Adidas was among the global brands hit by the Salesforce Data Loader scam. The attack started with a phone call that seemed routine - a supposed support request guiding an employee through what looked like a Salesforce troubleshooting process. Behind the scenes, the instructions led to the approval of a malicious connected app. Once authorized, attackers gained access to parts of Adidas’s CRM environment, including customer records and internal sales data. Security researchers later reported that data taken from this breach was used as leverage in attempted extortion, with threats to leak client information unless demands were met.

Chanel: By July 2025, the scam had reached the luxury sector. Chanel confirmed that its U.S. Salesforce database was compromised after an employee was manipulated into approving a rogue connected app. Attackers extracted client care records, including customer names and contact details, which were later linked to targeted phishing attempts against high-value clients. While Chanel disclosed the breach promptly, the incident highlighted how even carefully managed customer databases can be exposed when attackers exploit human trust rather than technical flaws.

While these are the major confirmed names affected, the Salesforce Data Loader scam continues. By mid-August, security firms reported that the campaign had expanded to more than 90 organizations worldwide, with attackers linked to ShinyHunters now suspected of working alongside Scattered Spider, a group known for extortion and high-impact social engineering. Reports in September confirm that the campaign is still ongoing, with fresh incidents surfacing and extortion tactics continuing to evolve, underscoring the need for vigilance across all teams and industries.

What This Means for Teams and Professionals

The Salesforce Data Loader scam underlines how a simple phone call can open the door to major breaches. Even companies with strong security measures — including global enterprises like Google, Adidas, and Chanel — became victims when employees were convinced to approve a malicious app.

This campaign shows three key realities:

• Human trust can override technology: Attackers don’t need to break Salesforce itself; they only need to persuade someone to open the door.

• CRM data is highly valuable: Names, emails, and contact details give attackers everything they need to run precise phishing and impersonation campaigns.

• Indirect exposure is real: Even if your company was not directly breached, your data may sit in a partner’s or vendor’s Salesforce system — meaning their compromise can still affect you.

How to Stay EXTRA SAFE from Fake Salesforce Apps

• Verify support requests independently: If someone calls asking you to install software or enter codes, confirm directly with your IT team or Salesforce’s official support channels before taking action.

• Restrict app authorizations: Limit who in your company can connect new apps to Salesforce. Require admin approval for every new connected app.

• Educate your team: Train employees to recognize voice phishing tactics. Encourage them to slow down and verify before following phone instructions.

• Audit connected apps regularly: Review which apps are active in Salesforce and remove any that are unused or unfamiliar.

• Enable strong MFA everywhere: Protect accounts with multi-factor authentication so that even if data is stolen, attackers can’t easily use it to break into other systems.

About #EXTRASAFEcheck:

New security risks pop up every day, spreading faster than ever. From AI flaws to data leaks, even the most popular apps can pose hidden threats, affecting both teams and individual users. That’s why our monthly review brings you the most important updates to keep you informed and protected. Follow #EXTRASAFEcheck to spot risks early and make safer online choices.