Anatomy of a Breach

Anatomy of a Breach: The Salesforce Ecosystem Breach — 200+ Companies Hit Through a Third-Party Integration

> series: anatomy_of_a_breach —— part: 202 —— target: salesforce_ecosystem —— companies: 200+ —— vector: salesloft_drift_integration —— label: solarwinds_moment_for_saas<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2025 14 min read
salesforce salesloft drift saas supply-chain 200-companies crm series
Breach #202

200+ companies. Through a chatbot integration. In Salesforce. The 'SolarWinds moment for SaaS.'

In late 2025, attackers exploited a vulnerability in the Salesloft Drift chatbot integration within the Salesforce ecosystem to access CRM data from over 200 companies. The breach — which involved attackers linked to the ShinyHunters group exploiting Gainsight OAuth integrations — enabled access to customer records, as Bleeping Computer reported,, sales pipelines, support tickets, internal communications, and configuration data stored in affected organisations' Salesforce instances.

The breach has been described as the 'SolarWinds moment for SaaS' — and the comparison is apt. Like SolarWinds/Sunburst (2020), the attack exploited trust in a legitimate integration to access multiple organisations simultaneously. Like MOVEit (2023), a single vendor vulnerability cascaded to affect hundreds of downstream organisations. And like Kaseya (2021), the attackers targeted the management platform itself to reach its customers. The Salesforce ecosystem breach represented a new frontier: supply chain attacks within SaaS platforms, targeting the third-party apps and integrations that extend SaaS functionality.

SaaS Supply Chain Risk
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Your Salesforce integrations are your attack surface.

Third-Party Integrations as Attack Vectors
Modern SaaS platforms like Salesforce are extended by hundreds of third-party integrations — chatbots, analytics, enrichment tools, and automation platforms. Each integration has access to CRM data and represents a potential attack surface. Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> assess SaaS integration permissions and OAuth grants.
CRM Data Is Crown Jewels
Salesforce CRM instances contain customer records, sales pipelines, pricing, contracts, support tickets, and internal communications — the operational heart of many businesses. A CRM breach exposes the organisation's entire customer relationship. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors SaaS platform access for anomalies.
'SolarWinds Moment for SaaS'
The comparison to SolarWinds reflects the paradigm-shifting nature of the breach: SaaS platforms are not just applications but ecosystems of interconnected integrations, and each integration is a potential supply chain entry point. <a href="/cyber-essentials">Cyber Essentials</a> addresses SaaS and cloud security.
200+ Companies Affected Simultaneously
A single integration vulnerability affected over 200 companies — demonstrating that SaaS ecosystem breaches can match the scale of traditional supply chain attacks. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response when SaaS platform breaches affect your organisation.
Lessons

Audit your SaaS integrations. Each one is a door into your data.

The Salesforce ecosystem breach established that SaaS platform integrations are the next frontier for supply chain attacks. For UK organisations using Salesforce, HubSpot, Microsoft 365, or any SaaS platform with third-party integrations, every integration must be audited for permissions, OAuth grants, and data access scope. Cloud configuration reviews assess SaaS integration security. Cyber Essentials addresses cloud and SaaS security. SOC in a Box monitors SaaS platforms for anomalous integration activity. And UK Cyber Defence provides incident response when SaaS supply chain breaches affect your data.

SaaS Integration Security

200+ companies breached through a Salesforce chatbot integration. How many integrations does your CRM have?

<a href="/penetration-testing/cloud-configuration-review">Cloud reviews</a> audit SaaS integrations. <a href="/cyber-essentials">Cyber Essentials</a> addresses SaaS security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors platform access.

Commission a SaaS Security Review Next: 16 Billion Credentials
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2025

Anatomy of a Breach: 2025 Year in Review — M&S Hits UK GDP, Bybit Loses $1.4 Billion, and 16 Billion Credentials Prove Passwords Are Dead

Breach #204 and the 2025 finale. The year Marks & Spencer's £1.9 billion breach hit UK GDP growth, Bybit lost $1.4 billion in the largest crypto heist ever, three Chinese groups exploited SharePoint to compromise 400+ organisations including US nuclear security, Jaguar Land Rover halted manufacturing, Collins Aerospace grounded airport check-in across Europe, the Salesforce ecosystem suffered its 'SolarWinds moment,' and 16 billion stolen credentials proved that passwords alone can never be trusted again. In the UK, the NCSC issued emergency guidance as M&S, Co-op, and Harrods were targeted in a coordinated retail campaign. Seventeen years. 204 articles. The most devastating year for UK corporate cybersecurity on record.

year-in-review 2025
16 min read
Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
Anatomy of a Breach 31 July 2024

Anatomy of a Breach: CrowdStrike — The Faulty Update That Crashed 8.5 Million Windows Systems Worldwide

Breach #187. On 19 July 2024, a faulty content update to CrowdStrike's Falcon endpoint detection and response (EDR) platform caused approximately 8.5 million Windows systems worldwide to crash with a blue screen of death (BSOD) and enter an unrecoverable boot loop. The outage grounded flights globally, disrupted hospitals, knocked banking systems offline, and paralysed businesses across every sector. While not a cyber attack or data breach, the CrowdStrike outage was the largest IT disruption in history — caused by a security vendor's own update mechanism — and demonstrated the catastrophic fragility of global IT infrastructure's dependence on a handful of security vendors.

crowdstrike global-outage
15 min read
All Posts Get in Touch