Salesforce executives for much of the year have reiterated that an onslaught of cyberattacks on a range of its partners was not due to any weaknesses in the software-as-a-service (SaaS) giant’s cybersecurity operations.

Apparently, almost two dozen of customers of those partners disagree.

Salesforce reportedly is the target of at least 14 lawsuits filed in the federal court of Northern California in connection with the intrusions by bad actors and the theft of data. According to a report in SFGate, the 14 lawsuits encompass 23 plaintiffs and hundreds of pages of legal filings.

That said, Salesforce isn’t alone. Among the co-defendants are some high-profile corporations that were the targets of the threat groups behind the attacks, including TransUnion, Allianz Life Insurance, Farmers Insurance, Workday and Pandora Jewelry.

The news site reported that the plaintiffs, who are seeking a class action lawsuit, are claiming that Salesforce, which has about 150,000 customers, should have had better security around its platform. They cite in the lawsuits the risk that their stolen information could be used in identity theft.

No Breach of Salesforce

Salesforce executives have repeatedly argued that the bad actors never breached their protections. What the hackers did was use advanced phishing tactics and compromised OAuth tokens associated with a third-party partner to steal user data.

“Importantly, the Salesforce platform has not been compromised, and this issue is not due to any known vulnerability in our technology,” Salesforce wrote in a notice in August. “We know how disruptive and stressful these incidents can be, and our teams are fully engaged to support affected customers and help minimize any impact.”

Months earlier, the company wrote in a blog post that “cybersecurity is a shared responsibility between a provider and their customers. While Salesforce builds enterprise-grade security into every part of our platform, customers play a vital role in protecting their data — especially amid a recent rise in sophisticated social engineering and phishing attacks targeting Salesforce customers.”

Exploiting Third-Party Apps

Cybersecurity vendors backed up Salesforce’s claims. Earlier this month, Centraleyes, which offers a cloud-based cyber risk management platform, wrote that “this is not a case of Salesforce being hacked. Nor is it a flaw in any single product. The attackers never broke into Salesforce directly. Instead, they compromised the bridge that companies had built between Salesforce and Drift. That distinction matters because it highlights the growing risks of authorized access.”

Drift is the customer service chatbot built by Salesforce partner Drift that is integrated with Salesforce CRM. The hackers were able to compromise the Drift OAuth integration with Salesforce to steal sensitive information from companies.

Centraleyes wrote that the attacks highlight how bad actors are finding ways to exploit how organizations use third-party applications and expose growing threats in the software supply chain.

“The core issue is that third-party apps like Drift are often integrated without centralized oversight,” the vendor wrote. “In large enterprises, teams across marketing, sales, support, and engineering may each authorize tools independently. These tools are often granted access to platforms such as Salesforce, Microsoft 365, or Google Workspace. Once access is granted, it is rarely reviewed.”

Vishing and OAuth Tokens

In one wave of attacks, the threat group UNC6040 was running a vishing campaign, with hackers impersonating IT support workers and convincing employees of companies to authorize a malicious app connected to their organizations’ Salesforce portal.

“This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce,” Google’s Threat Intelligence Group (GTIG) wrote in June. “During a vishing call, the actor guides the victim to visit Salesforce’s connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version.

This gave UNC6040 the ability to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.

Later, another threat group, UNC6395, targeted Salesforce customers’ instances through the compromised OAuth tokens associated with Salesloft’s Drift app with the aim of stealing credentials like Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens, GTIG wrote last month.

Threat researchers with Grip Security wrote that the UNC6395 campaign “wasn’t about tricking users, but exploiting the connection and permissions between applications. … That token, once issued, became a master key used to quietly unlock Salesforce data across multiple tenants. No phishing required. Just a compromised integration and an exposed token.”