Salesforce Hit with 70+ Lawsuits, But Who’s Really at Fault?

As a Salesforce security leader and Certified Technical Architect who has spent 18+ years in this ecosystem, I need to be clear from the start.

While I’m not a legal expert, I can tell you that the technical failures leading to these breaches were largely preventable and failures on companies suing – not Salesforce.

Salesforce has now been hit with over 70 lawsuits across the United States following a series of cyberattacks that compromised customer data at multiple companies. The legal action, with 14 cases filed in September alone in Northern California District Court, names high-profile co-defendants including TransUnion, Allianz Life Insurance, Farmers Insurance, Workday, and Pandora Jewelry. The U.S. Judicial Panel on Multidistrict Litigation has been asked to coordinate these cases into multidistrict litigation in California’s Northern District.

The Attack Methods and Impact Explained

Hackers used sophisticated social engineering tactics—specifically voice phishing (vishing)—to trick employees into authorizing malicious connected apps to their Salesforce environments. Attackers impersonated IT support personnel on voice calls and walked unsuspecting employees through granting organizational access. Cybercriminal groups like ShinyHunters (tracked by Google’s Threat Intelligence Group as UNC6040) and Scattered Spider exploited OAuth 2.0 authentication tokens to gain access and exfiltrate massive amounts of sensitive data. The FBI issued an official FLASH alert warning about these attacks.

Companies Affected and Data Exposed:

• Farmers Insurance: 1.1 million customers—names, addresses, dates of birth, driver’s license numbers, partial Social Security numbers
• TransUnion: 4.4 million people—names, dates of birth, Social Security numbers, billing addresses, email addresses, phone numbers, customer support information (13 million total records stolen)
• Allianz Life Insurance: 1+ million customers
• Louis Vuitton: Names, email addresses, mailing addresses, phone numbers, purchase records, loyalty program details, partial payment history
• Jaguar Land Rover: Production shutdowns for over a month, requiring a £1.5 billion ($2 billion) government-backed loan Other impacted companies include Chanel, Google, Workday, and Pandora Jewelry

The Legal Arguments

Plaintiffs argue that Salesforce “failed to secure its system and didn’t detect and block a malicious app on its platform, exposing the data of millions of Americans to cybercriminals.” Attorney Amber Schubert stated that “Salesforce is the hub connecting these attacks.” The lawsuits frame this as a “hub-and-spoke” breach, where Salesforce acts as the central hub and client companies are the spokes—meaning a breach at Salesforce potentially exposes data from hundreds of companies simultaneously.

Farmers Insurance faces additional criticism for detecting suspicious activity on May 30 but not sending written notices to customers until August 22—nearly three months later. This delay left consumers unable to take immediate protective measures. These cases are ongoing and we will all be watching closely as the saga unfolds.

Understanding the Technical Reality

The term “malicious app” in these lawsuits can be misleading to non-technical readers. As mentioned in a great article by our friends at Salesforce Ben, this term being referred to isn’t an application installed on the platform like a phone app. The “connected app” feature is simply the OAuth 2.0 authorization configuration that allows external tools to access Salesforce—it’s the security and authorization settings, not a downloadable piece of software.

Salesforce did leave open a potential vulnerability through the OAuth 2.0 device flow, which they retired approximately a month ago. The company has since “hardened” their OAuth approach, demonstrating proactive security improvements. However, Google’s Threat Intelligence team explicitly stated: “In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.” This is a critical distinction—Salesforce’s core platform was not compromised. The attacks succeeded because employees were socially engineered into granting access, essentially opening the door and handing over the keys.

One of the most critical misunderstandings also involves IP-based login restrictions. Many organizations implement IP restrictions but configure them incorrectly, checking IP addresses only at login rather than on every request. Consider this scenario: an employee logs into Salesforce while connected to a corporate VPN, passing the IP restriction check, then disconnects from the VPN to access another resource. If IP restrictions only check at login, that user remains authenticated with full access—even though they’re no longer connecting from an authorized IP address.

Proper configuration requires checking on every single request to ensure that if a user’s IP address changes during their session, they’re immediately blocked. With proper security configurations in place—IP security controls on all profiles checked on every request, mandatory multi-factor authentication, regular audits of connected apps, and comprehensive employee training on social engineering tactics—these attacks could have been significantly mitigated or prevented entirely. However, nothing is completely safe. Security is about adding layers of protection to reduce risk, not achieving perfect invulnerability.

The painful truth is that many companies failed to invest in Salesforce-specific security expertise before attacks occurred, treating cybersecurity as an IT checkbox rather than a business-critical investment requiring specialized domain knowledge. Organizations can learn more about implementing these security controls through Salesforce’s official security best practices.

The Shared Responsibility Model

Many organizations mistakenly believe that moving to cloud platforms like Salesforce transfers all security responsibilities to the provider. This dangerous misconception leaves companies vulnerable to precisely these types of attacks. The Salesforce shared responsibility model clearly delineates security duties:

Salesforce’s Responsibilities: Securing infrastructure and platform Managing firewall rules Enforcing data isolation per tenant Running proactive code scans and penetration tests Ensuring compliance with industry standards Providing secure communication protocols Customer Responsibilities: Configuring application-level access controls Enforcing multi-factor authentication Assigning proper roles and permissions Monitoring audit logs and user behavior Ensuring secure implementation of custom code Securing third-party integrations Deploying anti-abuse and fraud prevention measures Training employees on cybersecurity threats

The 70+ lawsuits now flooding federal courts stand as stark evidence that misunderstanding this shared responsibility model doesn’t just create security gaps—it creates legal liability, financial devastation, and reputational damage that can take years to recover from, if recovery is even possible. You can create a confidential calculation to help you understand the real cost of a data breach with our free tool (based on years of research).

Protecting Your Organization

Organizations must take immediate action to secure their Salesforce environments:

• Remove stale and suspicious users:Regularly audit user accounts and deactivate those no longer needed
• Remove excessive permissions: Follow the principle of least privilege—users should only have access necessary for their specific roles
• Enforce MFA/SSO: Multi-factor authentication should be mandatory for all users, no exceptions.
• Apply IP-based login restrictions on every request: Don’t just check at login—verify on every single request to prevent session hijacking
• Audit Connected Apps regularly: Review all connected apps, remove unnecessary ones, and ensure proper OAuth scopes
• Add security contacts in Salesforce: Designate team members to receive security alerts and updates
• Continually monitor user behavior and event logs: Implement real-time monitoring to detect anomalous activity
• Train employees on social engineering threats: Regular training on vishing, phishing, and other manipulation tactics is essential
• Implement virus scanning solutions: Since Salesforce doesn’t scan uploaded files, deploy third-party security tools

Conclusion

The wave of lawsuits against Salesforce highlights a fundamental misunderstanding of cloud security responsibilities. While legal proceedings will determine liability, the technical reality is clear: these breaches resulted from inadequate security configurations and employee training, not inherent platform vulnerabilities. Organizations that treated Salesforce security as Salesforce’s problem rather than a shared responsibility are now paying the price—some to the tune of billions of dollars.

The cost of neglecting specialized Salesforce security expertise is no longer theoretical. It’s measured in millions of compromised records, emergency government loans, class-action lawsuits, and irreparable damage to customer trust. Cybercriminals are watching these outcomes closely, and inadequately secured organizations have painted targets on themselves.

Don’t wait for a breach to prioritize Salesforce security. The question isn’t whether your organization can afford to invest in proper Salesforce security domain expertise and solutions—it’s asking yourselves on the C-suite how much you are going to spend if you don’t act now. The difference between a more secure organization and the next headline is often just a matter of proper configurations, implemented solutions, and specialized Salesforce security domain expertise.

Need a comprehensive security assessment? Reach out to our Salesforce security experts at EzProtect. We provide specialized expertise to evaluate your configurations, identify vulnerabilities, and implement robust security controls that protect your organization and your customers’ data.

About Author: 

Matt Meyers is a Salesforce CTA, CEO, and CoFounder of EzProtect, a virus-scanning solution for Salesforce. With 18 years in the Salesforce ecosystem, he’s also the author of the Amazon bestseller “Securing Salesforce Digital Experiences”. Matt is passionate about well-architected, secure Salesforce implementations and developing the next generation of Salesforce architects.