31 August 2025

Security in a World of Integrations

A recent spate of attacks targeting Salesforce instances has highlighted the vulnerabilities associated with the ever-expanding number of service integrations. On the one hand, it’s great that once disparate services can be inter-connected, creating more value, but on other hand these same connections expose organisations to increased risk. Whether it’s API keys, OAuth tokens or other integration approaches, the fact is that every such integration provides an entry opportunity to either or both systems. Go after integrations that touch big CRM systems, and the potential volume of data you get access to can be huge.

Transunion - the personal data of 4.4 million people affected, Farmers Insurance - 1.1M and Allianz - 1.4M. Workday, Chanel, Pandora, Google, Adidas and more were all apparently hit.

The breaches all reportedly took place via the threat group impersonating IT support and getting a Salesforce admin in the company to install a malicious connected app within their instance. No MFA, security keys or usual technical measures would have prevented these attacks. On the surface, this looks be a failure of adequate processes and training, but the blame should not be put solely at the feet of the victims.

To be able to install an unverified app simply by requesting an 8-digit code, sets an awfully low bar for what appears to be a security default. Nor is this the first time we have heard about OAuth grants being leveraged for malicious purposes. Create a malicious app, fool an employee into authorising the OAuth grant, and you now have persistent and well-hidden access to the scoped data. No need for passwords, man-in-the-middle, stealing session cookies, bypassing EDR, etc. Google’s Threat Intelligence Group has a good write-up of the attack methodology:

Data Loader is an application developed by Salesforce, designed for the efficient import, export, and update of large data volumes within the Salesforce platform. It offers both a user interface and a command-line component, the latter providing extensive customization and automation capabilities. The application supports OAuth and allows for direct “app” integration via the “connected apps” functionality in Salesforce. Threat actors abuse this by persuading a victim over the phone to open the Salesforce connect setup page and enter a “connection code,” thereby linking the actor-controlled Data Loader to the victim’s environment.

Additional details from Salesforce:

Threat actors have been observed employing various social engineering tactics, including voice phishing (i.e., “vishing”), to impersonate members of an IT Support team over the phone. They have been reported luring our customers’ employees and third-party support workers to phishing pages designed to steal credentials and MFA tokens or prompting users to navigate to the login.salesforce[.]com/setup/connect page in order to add a malicious connected app. In some cases, we have observed that the malicious connected app is a modified version of the Data Loader app published under a different name and/or branding. Once the threat actor gains access to a customer’s Salesforce account or adds a connected app, they use the connected app to exfiltrate data.

To make matters worse, soon after these attacks came news of a service called Salesloft (not a good year for “Sales” apps) — a sales-related app that also integrates with Salesforce, Gmail and other services — being hit by a breach. Attackers stole OAuth tokens from the third-party Salesloft Drift app and used these to gain access to Salesforce instances as well as connected Google Workspace accounts. In this case, both Salesforce and Google have taken action to revoke the tokens, although details of the attack path that led to the compromise are not yet clear.

What is clear is that these attacks only scratch the surface of what is possible in our world of ever-expanding integrations. Instead of running from one fire to another, these services need to enforce secure defaults that make the life of attackers that much harder. It needs an attacker’s mindset and the understanding that if you don’t think of creative ways around your own security boundaries, other people will.