The Real-Life Costs of a Salesforce Security Breach

Examples from real breaches, and what we can learn from them. 

Salesforce itself describes cybersecurity for the platform as a shared responsibility, stating that while it builds enterprise-grade security into the platform, customers still play a vital role in protecting their own data, especially as social engineering and phishing threats target Salesforce users.  

That distinction matters. 

Salesforce may protect the platform. Your organisation still has to protect how Salesforce is configured, who can access it, which apps connect to it, what data flows through it, and what files, links and sensitive content users trust inside everyday workflows. 

That’s a lot of potential entryways for a security breach. Breaches that can lead to:

• Data exposure

• Legal and regulatory pressure

• Extortion or ransomware risk

• Operational disruption

• Loss of customer trust

Here’s a look at some of the most high profile Salesforce security breaches, and the real risks you face without third-party Salesforce protection.

Salesforce breach examples show the risk is real

Over the last year, Salesforce-related security incidents have become a visible part of the wider SaaS security conversation. The clearest pattern is not “Salesforce was insecure.” It is that attackers targeted the way organisations use Salesforce: connected apps, support workflows, customer service teams, third-party providers and trusted user behaviour.

Salesforce Ben’s 2025 data theft roundup reported a series of incidents linked to social engineering campaigns against Salesforce customers, noting that attackers often used phone-based vishing to trick users into installing an attacker-controlled replica of a Salesforce-related app, which then gave hackers access to query and exfiltrate data from compromised Salesforce customer accounts.  

Fortra’s summary of the Salesforce data breach wave made a similar point: attackers reportedly posed as IT support personnel over the phone and tricked employees into granting access or sharing credentials. 

The takeaway is simple: attackers do not need to break Salesforce to create Salesforce risk. They can exploit trust, users, content integrations and workflows.

Salesforce Security Breach Case Study 1: vishing, fake apps and Salesforce data theft

One of the most important Salesforce security breach examples is the UNC6040 campaign.

Google Threat Intelligence Group reported that UNC6040 used phone-based social engineering to impersonate IT support staff and convince employees to take actions that gave attackers access to Salesforce environments. Salesforce’s own guidance says threat actors have used vishing – a type of advanced phishing technique - to lure employees and third-party support workers to phishing pages designed to steal credentials and MFA tokens, or to prompt users to add a malicious connected app. 

In some cases, Salesforce observed the malicious connected app was a modified version of the Data Loader app under a different name or branding. Once access was gained, the connected app was used to exfiltrate data.

The cost of this kind of breach is not limited to the first stolen record. Organisations may need to investigate connected apps, review API activity, rotate credentials, revoke tokens, notify customers, monitor extortion attempts and prepare for follow-on phishing using the exposed data.

That is why Salesforce breach prevention needs to include access controls, connected app governance, user training, API monitoring and workflow-level security. Learn more about Salesforce security best practices.

Salesforce security breach Case Study 2: Qantas and third-party customer service data 

Qantas disclosed that on 30 June 2025, it detected unusual activity on a third-party platform used by a Qantas airline contact centre. The airline said it immediately contained the system and confirmed Qantas systems remained secure. Its initial investigation found that compromised data included names, email addresses, phone numbers, dates of birth and frequent flyer numbers, while no credit card details, personal financial information or passport details were stored in the affected system.

Even where the most sensitive financial or passport data is not exposed, a breach like this still creates cost. 

The organisation has to investigate, contain, communicate, support customers and monitor for misuse. Exposed contact data can also support future phishing and social engineering. An attacker with names, contact details, and loyalty information has material they can use to make the next scam more believable. 

That is one of the most overlooked costs of a Salesforce-related breach: the first incident can compound and create conditions for the next one.

What does a breach cost?

The average breach cost depends on region, industry, data type, attacker behaviour, regulatory environment and incident maturity. 

IBM’s 2025 Cost of a Data Breach Report put the global average cost of a data breach at USD 4.44 million. It also found that organisations with extensive use of AI in security saved USD 1.9 million compared with organisations that did not use these solutions.

Which industries are most exposed to a Salesforce security breach? 

The most exposed industries are not always the ones with the weakest platforms. They are often the ones with the most valuable data, the most complex workflows and the highest regulatory expectations. 

Healthcare has the highest average breach cost in IBM’s 2025 data, at USD 7.42 million. Financial services follows at USD 5.56 million. Industrial organisations average USD 5.00 million, while technology sits at USD 4.79 million.

That maps closely to Salesforce risk.

Healthcare organisations may use Salesforce for patient services, provider relationships, referrals, portals and support workflows. Financial organisations may process customer records, financial documents, applications and partner data. Manufacturing and industrial teams may exchange supplier files, technical documents, warranty information and customer records. Technology companies may use Salesforce across support, sales, customer success, partner channels and product-related workflows.

In each case, Salesforce becomes a trusted system for high-value content.

That is why the Salesforce security gap is not only about who can log in. It is about what files, links and sensitive data are allowed to move through the workflows users already trust.

These industries make up the top users of the Salesforce platform, demonstrating the risk.

Why Salesforce breaches are so expensive

A Salesforce security breach can create several types of cost at once.

• Incident response and forensics: teams need to determine what happened, which records were accessed, which apps were involved, which users were affected and whether data was exfiltrated.
• Token and credential rotation: connected app incidents may require revoking OAuth tokens, rotating API keys, resetting passwords and reviewing third-party access. 
• Customer notification and support: exposed contact data may still require customer communication, call centre support and dedicated breach resources.
• Regulatory and legal pressure: regulated organisations may need to notify authorities, preserve evidence and prove appropriate controls were in place.
• Follow-on phishing: exposed names, emails, phone numbers, loyalty details or case data can be used to create more convincing scams.
• Operational disruption: teams may pause workflows, disable integrations, restrict access or slow business processes while the incident is investigated.
• Reputation and trust: even when Salesforce itself is not compromised, customers may still see the breach as a failure to protect their data. 

How to reduce Salesforce breach risk

A strong Salesforce breach prevention programme needs to cover more than user access. It should combine identity controls, app governance, user awareness and content security, so threats are managed before they become incidents.

Start with the fundamentals: enforce MFA, apply least privilege, restrict login ranges where appropriate and lock down Experience Cloud or guest access. Then look at the connected ecosystem around Salesforce, including OAuth usage, connected apps, third-party integrations and vendor access. Admin-approved access should be the standard, not the exception. 

From there, security teams need to monitor the behaviours that often signal compromise, such as unusual API activity, unexpected data exports or changes in how sensitive information is being accessed. User training also plays a role, especially against vishing, phishing and fake IT support calls. 

The area many organisations miss is content security. Sensitive data should be classified and controlled, but the files, URLs and information moving through Salesforce workflows also need to be inspected.

Access controls help decide who can use Salesforce. Content security helps decide whether the files, links and data moving through Salesforce should be trusted in the first place.

Where bowbridge fits

bowbridge does not claim to prevent every Salesforce breach scenario.

A content security product will not replace MFA, stop every vishing call, govern every OAuth token or fix every connected app policy. Those controls still matter.

bowbridge helps reduce a specific and important category of Salesforce risk: unsafe content moving through Salesforce workflows.

bowbridge Threat Protection and Anti-Virus for Salesforce is designed to:

1. Scan file uploads for malware, ransomware, malicious code and suspicious files

2. Check URLs in workflows such as Chatter, Salesforce emails, tasks and configured text fields

3. Detect sensitive data patterns such as PII, PHI, payment data, financial records and custom confidential patterns
   
   
4. Apply policy actions such as block, quarantine, warn, allow or alert. It also provides dashboards, logs, alerts and reporting to support visibility and audit needs. 
   

That matters because many Salesforce workflows rely on content from customers, partners, suppliers, external users and internal teams. 

bowbridge adds the missing content security layer.

Limit your risk of Salesforce security breaches

The real cost of a Salesforce security breach is not just the technical fix.

It is the investigation. The customer support. The regulator questions. The integration review. The follow-on phishing. The legal advice. The operational disruption. The uncomfortable conversation about why a trusted platform became a blind spot.

Recent Salesforce-related incidents show the pattern clearly: attackers are targeting the ecosystem around Salesforce, including users, connected apps, third-party providers and trusted workflows.

The answer is not to distrust Salesforce. The answer is to secure the way your organisation uses it.

That means protecting access, integrations, configurations, users and content together.

See how bowbridge helps protect Salesforce from risky content.