Summer 2025 brought shocking word of numerous data breaches suffered by companies on Salesforce. The hack, first detailed by Google's threat intelligence group (GTIG), actively targeted organizations not by guessing passwords, but by exploiting a core, legitimate feature of the Salesforce platform. This social engineering attack tricks users into granting hackers complete and persistent access to your most sensitive CRM data.
In this in-depth video, Scott provides a full technical breakdown of how this attack works. You’ll learn the critical weakness in the OAuth "Device Flow"—a protocol used by trusted apps like the Salesforce Data Loader and SFDX CLI. We demonstrate the step-by-step process a hacker uses to spoof a legitimate application and "phish" a user into entering a simple code, which in turn grants the attacker a non-expiring Refresh Token. This token is the "keys to the kingdom", allowing for permanent, undetected access to your org.
The good news is that these attacks are highly preventable, but they require a multi-layered defense. Scott breaks down steps you can take and walks through critical admin settings—many of which are not enabled by default—that can stop this hack cold.
Watch the video here!
Protect Your Org.
Secure Your Data.
Salesforce security is a shared responsibility. Let us help you solve it.
Salesforce Updates and Guidance
Explore expert strategies and practical advice on Salesforce security and permissions
