The CRM Goldmine: Inside the Salesforce Breach Wave

It started with a phone call. No malware, no zero-day — just someone talking a Charter worker out of their login. Months later, 4.9 million customer records surfaced on a leak site, pulled from the company's Salesforce instance. The CRM has become the richest target in enterprise security. Sherri and Matt break down why, and walk through three cases: Charter, where one vished login reached everything; the Salesloft Drift and Gainsight chain, where one stolen token unlocked the next breach and the next; and the Salesforce "Aura" campaign, where misconfigured guest accounts exposed hundreds of organizations — including, ironically, identity-protection company Aura. The throughline: Salesforce wasn't breached, the tenants were — and in every case, nobody was watching the data leave.   Key Takeaways 1. Govern your CRM as carefully as your email and file storage. You already wrap M365 or Google Workspace in conditional access, audit logs, and DLP. Your CRM holds data just as sensitive — give it the same controls. 2. Lock down who can log in. Enforce phishing-resistant MFA and verify identity before granting access — almost every CRM breach this year started with one compromised or socially-engineered login. 3. Least privilege limits the blast radius. One identity should never reach the entire instance, and a guest user should never touch live records. Provision for the job, not for convenience. 4. Inventory your connected apps and OAuth tokens, and revoke the ones that don't need access or can't be accounted for. Your perimeter now includes software you didn't write; a forgotten token walks straight past MFA and SSO. 5. Watch the exits, not just the entrance. Someone will always get in. Set export caps, alert on anomalous volume, and turn on the SaaS DLP you already own — almost nobody does.   Resources 1. Charter Communications data breach affects 4.9 million accounts — BleepingComputer's report on the Have I Been Pwned-verified count, including the 85,000 employee records. https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/ 2. Charter confirms data breach after ShinyHunters extortion threat — The confirmation, the vishing-to-Entra-to-Salesforce attack path, and Charter's "no sensitive data" statement. https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/ 3. ShinyHunters claims ongoing Salesforce Aura data theft attacks — The Experience Cloud guest-user campaign, the weaponized AuraInspector tool, and the 2,000-record bypass. https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/ 4. Aura breach confirmed as over 900,000 customer records accessed — The identity-protection company caught in the Salesforce "Aura" campaign. https://www.techradar.com/pro/security/aura-breach-confirmed-as-over-900-000-customer-records-accessed-in-phishing-attack 5. Salesforce — Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access — The vendor advisory with the concrete hardening steps (guest permissions, "API Enabled," org-wide defaults). https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/