Salesforce Is the Latest Hacker Target. Here's How to Protect Yours.

Written By Equals Eleven

If you use Salesforce, this matters to you.

Google’s Threat Intelligence Group just confirmed a series of targeted attacks affecting 20+ companies across the US and Europe. The goal? Access Salesforce data.

How?
Through voice phishing where hackers call your employees, pretend to be IT support, and convince them to give away credentials or install a fake Salesforce app.

Once inside, the attackers demand a ransom.

Salesforce flagged this back in March. Now it’s here.


What’s at Risk?

While names haven’t been shared, this comes on the heels of recent breaches at major brands like Adidas, Harrods, and Marks & Spencer (which expects to lose ~$400M due to ransomware).

But you don’t need to be a global retailer to be a target.

If your Salesforce instance holds:

  • Donor records

  • Financial details

  • Customer contact data

  • Contract information

...then you’re on the radar.

5 Things You Can Do Today

1. User Access Audit

→ Dormant users, former employees, and duplicate logins are often left unnoticed—but they’re open doors for attackers.

Here’s what to do:

  • Go to Setup > Users > Active Users and filter by “Last Login Date.”

  • Deactivate users who haven’t logged in for 90+ days unless there’s a clear business reason.

  • Review Permission Sets and Profiles. Ensure no one has Admin access unless absolutely necessary.

  • Remove “Login-As” privileges if they’re not being used for support.

  • Consider enabling IP restrictions or Login Hours for high-risk roles.

2. Enforce Multi-Factor Authentication (MFA)

→ MFA is no longer optional. Salesforce has made it mandatory, and it's your easiest win against credential theft.

Here’s what to do:

  • Enable MFA for all internal users via Salesforce Settings (Setup > Session Settings > MFA).

  • If users log in via SSO, ensure your identity provider has MFA at the point of entry.

  • Educate users on how to use the Salesforce Authenticator app or other supported MFA tools.

  • Monitor compliance using the MFA Enforcement Dashboard (in Security Center or Setup).

  • Don’t forget: API users and integrations may require Tokenized Access or Connected App updates.

3. Review All Installed Apps

→ Third-party integrations are often the weakest link, especially unused or unmanaged ones.

Here’s what to do:

  • Navigate to Installed Packages in Setup.

  • Identify apps that haven’t been updated in 6+ months or aren’t actively used.

  • Revoke any OAuth scopes from Connected Apps you don’t recognize or need.

  • Check the AppExchange publisher’s trust status at [trust.salesforce.com].

  • If you're using unmanaged packages, audit the codebase no visibility means higher risk.

4. Train Your Team Regularly

→ The #1 breach point is still human error. Voice phishing exploits curiosity and confusion.

Here’s what to do:

  • Create a simple “Suspicious Call Playbook” that outlines red flags:
    – Caller asks for passwords
    – Caller pressures you to install unfamiliar tools
    – Caller claims to be from IT but doesn’t know internal details

  • Run quarterly 5-minute simulations or phishing tests.

  • Add a Security Tips widget on your internal Salesforce homepage.

  • Encourage employees to report suspicious calls/emails immediately to IT.

  • Remind everyone: IT will never ask for your password over the phone.

5. Turn On Event Monitoring + Configure Alerts

→ You can’t fix what you can’t see. Native tools like Salesforce Shield offer critical visibility.

Here’s what to do:

  • If you have Salesforce Shield, enable Event Monitoring to track logins, downloads, data exports, and more.

  • Set alerts for:
    – Login attempts from new devices/IPs
    – Report or dashboard exports after hours
    – Login-as activity or session hijacking

  • Use Transaction Security Policies to flag risky behavior in real time.

  • Even without Shield, set Login History reports and monitor Field History Tracking for sensitive data.

  • Integrate your logs with a SIEM (like Splunk or Datadog) for deeper insights.

Why This Matters

Your Salesforce investment isn’t just about automation, reporting, or CX. It’s about trust.

A data breach doesn’t just cost time and money; it erodes that trust.

Not sure where to begin?

At Equals 11, we work with organizations like yours to help secure and optimize Salesforce so you can grow with confidence.

Our certified team can help you:

  • Audit and secure your Salesforce setup

  • Train staff on best practices

  • Configure alerts for real-time visibility

  • Implement scalable governance

Let’s make sure you’re protected and prepared.

Book a quick consult.

Equals Eleven
Next

How Mid-sized Businesses Are Outpacing Giants with Smarter Tech and AI