What Happened?
The attack ran on two front simultaneously.

• On the first, attackers quietly compromised Salesloft's GitHub repositories between March and June 2025, stealing Drift OAuth refresh tokens. Those tokens gave them persistent, legitimate-looking API access to the Salesforce environments of every company using their integration. Thousands of database queries were run in the background, pulling contact records, case data, and critically embedded credentials like AWS keys and tokens that had been pasted into support tickets.
• On the second, attackers impersonated Salesforce support staff in targeted phone calls, tricking employees into installing a malicious app that granted OAuth access and bypassed MFA entirely. This campaign hit consumer brands directly.

Once they had accumulated enough data, the group went public. On 3 October 2025, they launched a dark web site called: Trinity of Chaos, published samples of stolen data, and named 39 Salesforce customers. They set a ransom deadline of the 10 October - demanding payment from both the affected companies individually and from Salesforce itself.
The stolen data included names, emails, phone numbers, dates of birth, partial Social Security numbers, loyalty IDs, and in several cases the embedded cloud credentials that had been sitting quietly in support tickets.

Salesforce refused to negotiate.

When the deadline passed, the group followed through: data for six confirmed victims was leaked publicly, including Qantas, GAP, and Vietnam Airlines. Around 7.3 million Vietnam Airlines customer accounts appeared in the data leak published.

What Went Wrong - And What to Learn From It?

• Third-party integrations are part of your attack surface. A connected app approved once and forgotten is a door left unlocked. Attackers know this.
• OAuth tokens are credentials. Long-lived refresh tokens with broad permissions were the weapon here. Most organisations have no process to rotate or audit them.
• MFA can be bypassed. Social engineering consistently outpaces technical controls because it targets people, not systems.
• CRM data is not boring. Names, emails, phone numbers, and embedded API keys in support tickets are intelligence gold for follow-on attacks.

Recommended Actions to consider

• Audit every connected OAuth app in your Salesforce environment. Revoke anything unused or over-permissioned. Repeat quarterly.
• Rotate integration tokens on a defined schedule. Refresh tokens should not live indefinitely.
• Monitor API usage for anomalies. Thousands of SOQL queries at 2am is not normal. Set alerts.
• Require admin approval before any connected app can be authorised by standard users.
• Run vishing-specific training. Generic awareness is not enough for this threat pattern.
• Never store API keys or credentials in CRM tickets or case notes. Audit and remove any that exist now.

The Salesforce breach wave is likely to be used as a typical use case for yeats to come - not because Salesforce failed, but because it showed how thoroughly enterprises have outsourced their trust without maintaining oversight of it.
The attackers never broke down any walls. They walked through doors that had been left wide open by forgotten integrations and unmanaged tokens.

If your company is using SaaS, it is your company's responsibility to ensure it is securely integrated with your environment and processes, not your vendor's.
You should prepare for it!