When a phone call is enough to hit tech giants

700 companies compromised.
Google, Adidas, Cisco, LVMH among the victims.
And it all started with… a phone call.

In August 2025, the cybersecurity world was shaken by one of the most severe SaaS supply chain breaches ever recorded: the Salesforce Breach 2025, also known as the Salesloft Drift Campaign.

Hackers exploited stolen OAuth tokens from the Drift integration to gain unauthorized access to Salesforce, triggering a large-scale global attack.

This wasn’t the result of sophisticated malware, but of social engineering. A voice on the other end of the phone was enough to open the door.

In this article, we break down what happened, the techniques used, and what we can learn to better protect companies from similar incidents.

Social engineering: The human side of cyberattacks

We often think security is just about technology, firewalls, or ISO certifications. But the truth is different: the weakest link remains the human factor.

Vishing (voice phishing) exploits psychological levers such as:

• Urgency → “You need to act now or lose access.”

• Authority → “I’m from IT, it’s just a routine check.”

• Trust → “I’m speaking as a colleague, this will only take a minute.”

In the Salesforce case, cybercriminals convinced employees to grant critical access. A simple phone call was enough to turn human vulnerability into a global disaster.

The technical side: OAuth tokens and a compromised supply chain

If people were the entry point, the rest was pure cyber exploitation.

After the phone call, attackers used OAuth tokens—credentials that allow access without entering usernames and passwords—to move freely within Salesforce environments.

With these “universal keys,” they could:

• Access sensitive data;

• Exfiltrate confidential information;

• Spread the attack along the supply chain, hitting hundreds of partners.

How the attack unfolded

1. Initial Vishing Contact

The attack started with a phone call. Impersonating IT support—or even Salesforce itself—threat actors called employees under the pretext of resolving a “support ticket” or other urgent issue.

With an authoritative tone, they created urgency (“there’s a problem with your account, we need to check it right away”) and convinced victims to cooperate. The goal was simple: build trust and prepare the victim to follow instructions.

2. Consent to a Malicious OAuth App

Once trust was established, the victim was guided to Salesforce’s Connected Apps section. There, they entered a “connection code” that actually authorized a fraudulent app—a tampered version of the Salesforce Data Loader.

Unknowingly, the employee granted a privileged OAuth token, giving attackers access to company data.

3. Exfiltration and Lateral Movement

With the OAuth token, attackers could:

• Download sensitive CRM data (customer records, support tickets, sales pipelines);

• Masquerade requests as legitimate APIs, making their activity invisible to security systems;

• Harvest MFA credentials and logins from other SaaS platforms (Okta, Office 365, Slack), moving laterally into mailboxes, file storage, and collaboration tools.

This stage escalated a localized breach into a full-scale supply chain attack affecting hundreds of companies.

4. Extortion and Data Leak Threats

Once in possession of the data, criminals contacted companies demanding cryptocurrency ransoms. If refused, they threatened to leak the information on the dark web or sell it on illegal marketplaces.

Many victims suffered a double blow: data breaches combined with severe reputational damage.

OAuth supply chain attack: The Salesloft Drift Campaign

In parallel, attackers exploited the Salesloft–Drift integration with Salesforce to obtain already compromised OAuth tokens. This allowed them to scale the attack to more than 700 companies, including global brands like Google, Adidas, Cisco, and LVMH.

Why are we seeing so many similar breaches?

The Salesforce Breach 2025 is not an isolated case—it’s part of a string of attacks against companies like Chanel, Google, Air France, and KLM, all using the same model. Why are these campaigns so frequent and effective?

Third-Party Vendors as the New Entry Point

Hackers know core enterprise systems (ERP, payments, internal infrastructure) are heavily defended. External SaaS providers and CRM platforms, however, are much more vulnerable.

By compromising a single integration (like Drift or Salesloft), attackers can gain access to the data of dozens or even hundreds of companies simultaneously. That’s the logic of supply chain attacks: hit one node, and many doors open.

Social Engineering + OAuth: A Silent Weapon

The combination of vishing and OAuth abuse is devastating:

• Vishing works because it exploits human trust, urgency, and authority;

• OAuth makes the attack invisible, since access looks legitimate.

Together, they bypass traditional credential- or endpoint-based defenses, enabling persistent, hard-to-detect access.

Excessive Permissions Multiply the Damage

In many companies, connected apps in Salesforce have overly broad privileges—reading vast amounts of data or accessing unnecessary modules.

When such an OAuth token is compromised, the impact is massive: attackers instantly gain access to sensitive customer data, sales pipelines, and support tickets.

Weak governance makes this worse: often there’s no up-to-date inventory of connected apps or monitoring of their permissions.

Stolen Data Fuels New Attacks

CRM records are highly valuable: they can be resold, used for targeted phishing, or leveraged for new, even more convincing vishing campaigns.

This creates a multiplier effect: each breach not only harms direct victims but also powers future waves of global social engineering and cyber extortion.

Building resilience: Technology, processes, people

The Salesforce Breach 2025 wasn’t caused by an unknown technical vulnerability, but by the abuse of legitimate mechanisms (OAuth) combined with social engineering. It leaves us with key lessons for strengthening resilience.

Technology Alone Is Not Enough

Firewalls, antivirus, and EDR systems are essential—but not sufficient. If an employee knowingly (even if tricked) provides credentials or approves a malicious app, no software can stop it.

Security must be multilayered: tools, processes, and culture.

Processes Are the First Line of Defense

Every organization should establish clear, enforced procedures for:

• Handling urgent requests received by phone or email;

• Verifying the identity of anyone claiming to be IT or external support;

• Authorizing new SaaS and Connected Apps.

Well-defined processes reduce the risk that one hasty decision becomes a systemic failure.

People Are the Real Firewall

The Salesforce breach proves training is not a “nice to have,” but a core pillar of security. An aware employee recognizes signs of vishing (urgent tone, pressure, unusual requests) and knows when to say “no.”

Security awareness programs and regular simulations turn staff into the company’s first true human firewall.

SaaS App Governance Is Critical

Another key takeaway is the need for tight management of connected apps and OAuth permissions:

• Up-to-date inventory of active integrations;

• “Least privilege” policies to minimize accessible data;

• Continuous monitoring of logs and APIs.

This drastically reduces the attack surface.

Resilience Is Ongoing, Not a Destination

Cybersecurity is never “done”: every new integration, every new hire, every process change can introduce fresh vulnerabilities.

The Salesforce case shows that true defense is organizational resilience, built over time with:

• Regular updates;

• Continuous training;

• Periodic policy reviews.

Conclusion

The Salesforce Breach 2025 will go down in cybersecurity history not because of innovative malware, but because of its simplicity: a single well-orchestrated phone call compromised over 700 global companies.

The lesson is clear: cybersecurity isn’t just about technology. Firewalls, MFA, and advanced systems are essential, but without strong processes and aware people, they are fragile defenses.

This incident proves that the human factor is both the weakest link and the most powerful resource in enterprise protection.

To defend against such threats, organizations need an integrated approach:

• Technology → monitoring, alerts, granular OAuth controls;

• Processes → verification policies for unusual requests and secure SaaS governance;

• People → awareness programs that turn employees into a real human firewall.

The Salesforce breach is not an isolated case but a wake-up call: every organization, large or small, is a potential target. The difference lies in preparation.

Want to explore this topic live?
Join the Commit University this September!

🎤 Speaker: Diego Sarnataro, Founder & CEO of 10punto10
📍 Where: Florence, Commit Software HQ
📅 When: September 25, 2025
🎟️ Free entry + aperitif included – Register here

A unique opportunity to learn how to defend your company from social engineering attacks, with real-world cases, practical examples, and immediately applicable strategies.