Salesforce Security 2026: Defend Against Emerging SaaS Threats

Executive Summary

The breaches that shaped 2025’s SaaS security landscape

Throughout Dreamforce 2025, we listened for discussions about ShinyHunters and Salesloft/Drift. These breaches dominated security headlines and affected over 800 organizations in 2025. While Dreamforce sessions never mentioned specific incidents by name, they addressed many of the security challenges that led to the breaches.

Notably, feature announcements, warnings, and demonstrations addressed the exact attack vectors these breaches exploited.

The September 2025 Salesforce security enhancement

Tim Siepker, Sr. Success Architect at Salesforce, announced an important change: "Last month in early September, we made changes to restrict access by default for all users that are trying to self-authorize a connected app."

Consider the timeline:

• May 2025: ShinyHunters begins exploiting user self-authorization
• June-July 2025: Google, Chanel, LVMH, and Cisco confirm breaches
• August 8-18, 2025: Salesloft/Drift supply chain attack
• September 2025: Salesforce implements stronger default security settings. Just weeks after the August attacks
• October 2025: Dreamforce emphasizes OAuth governance as part of a comprehensive security strategy

Salesforce’s September platform changes would have prevented 100% of the ShinyHunters fake DataLoader attacks. The speed of this implementation—from attack discovery to platform-wide change in weeks—demonstrates how seriously Salesforce takes customer security.

 

Chapter 1: The Attacks That Shaped Everything

ShinyHunters and the OAuth Impersonation Campaign

The elegant simplicity of the attack

May 2025. ShinyHunters (aka UNC6040) begins calling employees at major enterprises. The script is simple:

"This is IT support. We're upgrading Salesforce security. Your account will be locked if you don't update your DataLoader authorization now."

The employee clicks the link. Sees "Salesforce DataLoader" requesting access. Clicks approve. The attacker now has persistent access via the OAuth refresh token.

What made it work:

• Users could self-authorize any OAuth app (pre-September 2025)
• Malicious app reused the same client_id as a legitimate DataLoader
• No admin approval required
• No behavioral monitoring
• Refresh tokens never expire
  

The damage: Google. Chanel. Qantas. Allianz. LVMH. Cisco. Pandora. Over 100 enterprises compromised. Customer records, employee PII, financial data, and embedded credentials (AWS keys and database passwords) were exfiltrated.

What attackers hunted for:

ShinyHunters didn't just steal customer data. They searched Salesforce records for patterns:

• "AKIA" (AWS access keys)
• "secret"
• "password"
• "snowflake"

They were credential hunting. Using Salesforce as a launchpad to move laterally across cloud infrastructure and other SaaS applications.

Notably, detecting this attack didn't require advanced Salesforce logging. The initial OAuth compromise was visible in free-tier logs—but only for 24 hours. Organizations with continuous monitoring would have caught it regardless of their Salesforce license level.

The Salesloft/Drift supply chain nightmare

August 8, 2025. UNC6395 makes their first API call using compromised Drift OAuth tokens stolen from Salesloft's GitHub repository.

This wasn't phishing. This wasn't credential theft. This was a supply-chain compromise involving legitimate, properly authenticated OAuth tokens.

It was devastating

• Drift tokens had broad permissions across customer orgs
• Attackers accessed Salesforce, Google Workspace, and Zscaler simultaneously
• Security tools saw "normal" Drift API activity
• No single platform saw the full attack
• 700+ organizations affected in 10 days

The brutal lesson: When attackers hide behind legitimate OAuth tokens, most controls can't distinguish normal integration traffic from active compromise. With attackers growing more sophisticated every month, you must assume someone in your organization or SaaS supply chain will get phished. This is why behavioral baselines for every connected app are essential—they catch what authentication alone cannot.

The Common Thread in Salesforce and SaaS Breaches: OAuth Trust Exploitation

 

Both campaigns demonstrated that OAuth tokens have become a primary attack vector. Salesforce's September 2025 enhancements and Dreamforce's security focus reflect the industry's collective response to these evolving threats.

 

 

What Salesforce shared at Dreamforce

Vorlon Research analyzed three Salesforce security-focused sessions. While specific incidents weren't explicitly referenced, every topic addressed attack tactics documented by the FBI.

Session 1: "Advanced Security Methods for Admins"

Nitin Mathur, Sr. Director of Customer Success, and Tim Siepker, Sr. Success Architect, covered MFA enforcement, Connected Apps governance, and session management. Every recommendation addressed ShinyHunters’ tactics.

Tim's emphasis on MFA: "Even if your password is compromised, MFA makes that credential almost worthless." This directly counters the initial compromise vector ShinyHunters used before moving to vishing.

Nitin's four-step Connected App review process is essentially a ShinyHunters prevention checklist:

1. Review OAuth Usage (find malicious apps)
2. Validate Business Need (identify suspicious apps)
3. Verify App Legitimacy (detect DataLoader impersonators)
4. Install or Block (prevent future attacks)

His directive: "If you fail any of those checks, if you don't know why your users are connecting to an app, if you don't know who the provider was, block the app."

Session 2: "Shield Deep Dive: Data Detect and Platform Encryption"

Divya Chandrasekharan, Product Management Director, opened with the question that matters: "How can you protect sensitive data if you don't even know where it lives?"

This addresses the critical lesson from both breaches: organizations didn't know what data was exposed because they didn't know where sensitive data resided.

ShinyHunters specifically hunted for credentials embedded in Salesforce records. Salesforce Data Detect finds these patterns before attackers do.
Dave Hacker, Sr. Director of Product Management - Shield Platform Encryption, announced database encryption. His performance claim — 0.5% impact versus traditional 5-15% overhead — represents a significant technical achievement.

Session 3: "Security Mesh"

Director of Product Management Mark Wigham’s introduction addressed a critical need: modern enterprises require unified visibility across their highly interconnected ecosystem. We would posit that this approach needs to extend beyond the Salesforce ecosystem.

"We want to bring together those siloed alerts and siloed information into one place to give you the full picture."

The Okta partnership is particularly revealing. Orr Dermer, Product Acceleration Specialist for Okta’s Identity Security Posture Management solution, highlighted exactly how Drift persisted:

"We often see that in cases where people have a secondary account or maybe the API token, where their main account has been deleted, but this residual access remains."

Orphaned OAuth tokens that remain active after user offboarding. This is how supply chain attacks succeed.

 

In today's landscape, where attackers are increasingly sophisticated, the key is to have behavioral monitoring and rapid response capabilities in place to detect and contain attacks quickly.

 

 

Chapter 2: Economics and Security Architecture

The scalability problem with platform-specific tools

As you add SaaS applications (and you will—average growth is 15-20% annually), your security complexity grows exponentially:

• 250 apps today → 300 apps in 2026 → 360 apps in 2027
• Each app requires a separate security configuration
• Each app generates separate logs
• Each app needs separate monitoring
• Each app requires a separate incident response

Cost scales linearly (or worse) with each app added. Complexity scales exponentially as the number of app integrations multiplies. Your security team doesn't scale at all.

The scalability advantage of unified, ecosystem-wide SaaS and AI security

Vorlon's architecture scales differently:

• Add new SaaS app → automatically discovered and baselined
• New integration created → automatically mapped and monitored
• New AI agent deployed → automatically identified and governed
• New OAuth token issued → automatically tracked across all platforms

Vorlon helps you lower costs, reduce complexity, and increase team productivity:

• Cost scales sublinearly: adding apps increases value without a proportional increase in cost.
• Complexity is abstracted: Vorlon handles integration complexity, providing unified visibility.
• Your team's effectiveness multiplies: One console, all platforms.

The integration reality: How Vorlon works with what you already have

Organizations often ask: "We already have a SIEM, we already have Shield, we already have endpoint protection. Where does Vorlon fit?"

The answer: We make everything you already have more effective. 

The integration principle: We're not replacing your security stack. We're connecting it. Your existing tools provide platform-specific depth. Vorlon provides ecosystem-wide breadth and correlation.

With your SIEM:

• We send enriched, correlated events (not raw logs)
• We provide SaaS-specific context that your SIEM lacks
• We reduce alert fatigue by pre-filtering false positives
• We enable SaaS-specific playbooks that your SOAR can execute

With Shield:

• We consume Shield Event Monitoring logs
• We add cross-platform context to Salesforce events
• We extend Shield's behavioral analytics across all apps
• We enable response beyond Salesforce's boundaries

With your identity provider (Okta, Azure AD, PingOne, etc.):

• We correlate authentication events with SaaS activity
• We identify orphaned accounts and tokens
• We track non-human identities that your IdP doesn't see
• We close the gap between authentication and authorization

Combining Salesforce Free and Shield Security Tiers  with Vorlon

Salesforce offers security capabilities at every tier, from free standard logging to advanced Shield features. The critical insight from 2025's breaches: no single layer provides complete protection. Whether you're using Salesforce's free security tools or have invested in Shield, the combination with Vorlon's ecosystem-wide visibility delivers defense-in-depth that neither solution provides on its own.

The 2025 breaches revealed a critical truth: attackers succeeded not because organizations lacked Shield, but because they lacked behavioral monitoring and ecosystem-wide visibility. The ShinyHunters OAuth compromise was visible in free-tier logs for 24 hours. Organizations with automated log collection would have caught it, regardless of their Salesforce license.

This section explores how to maximize your existing Salesforce security investment at any level while extending protection across your entire SaaS and AI ecosystem.

The Hidden Value in Free Salesforce Security

Every Salesforce instance includes powerful security capabilities at no additional cost. Yet most organizations extract less than 20% of their value due to three critical challenges:

The 24-Hour Window Problem
Salesforce's free tier provides security event data, but only retains it for 24 hours. Miss that window, and the evidence vanishes forever. For security teams managing multiple platforms, manually checking Salesforce logs daily isn't realistic, especially when attacks often go undetected for weeks.

The Context Gap
Free Salesforce logs show what happened within Salesforce, but attacks rarely stop there. When an attacker compromises a Salesforce OAuth token, they don't just access your CRM data. They pivot across connected apps, spreading across your entire SaaS and AI ecosystem. Without cross-platform visibility, you're seeing one piece of a much larger attack.

The Analysis Burden
Raw security logs require expertise to interpret. Knowing that someone accessed 10,000 records is less useful than understanding whether that access pattern matches normal behavior or indicates data theft. Free tools provide data; they don't provide answers.

How Vorlon Amplifies Salesforce’s Free Security Tier

Vorlon transforms Salesforce's free security features from reactive logs into proactive defense:

Continuous Capture
Vorlon automatically collects and stores Salesforce security events before the 24-hour window expires, creating a permanent security record. This means you can investigate incidents weeks or months later, critical given that the average breach discovery time is 204 days.

Cross-Platform Correlation
When Vorlon detects unusual Salesforce activity, it immediately checks related behavior across your entire SaaS ecosystem. That suspicious API call from Salesforce to Box? Vorlon tracks whether the same identity then accessed Slack, GitHub, or your AI tools, revealing the full attack path.

Behavioral Monitoring
Vorlon learns normal access patterns across your organization. When a sales rep suddenly downloads your entire customer database at 3 AM, Vorlon alerts you not because of a rule, but because it violates established behavioral patterns. This intelligence layer turns raw logs into actionable security insights.

Real-World Example: Stopping Attacks with Free Tier + Vorlon
Consider the ShinyHunters attack pattern:

1. Attacker compromises employee credentials via phishing
2. Creates a rogue OAuth connection in Salesforce
3. Slowly exfiltrates data to avoid detection
4. Pivots to connected cloud storage for broader access

With Salesforce free tier alone, you might notice the OAuth creation if you check within 24 hours. With Vorlon + Salesforce free tier:

• Hour 1: Vorlon detects an unusual login location and flags the session
• Hour 2: New OAuth app creation triggers an immediate alert with a high risk score
• Hour 6: Abnormal data access pattern initiates automated response
• Hour 7: Connected app permissions automatically restricted pending review
• Week 2: Full forensic timeline available for analysis and further response

The attack that typically takes weeks or months to discover is contained in hours.

The Economics of Smart Security

Salesforce Free Tier + Vorlon:

• Cost: Vorlon subscription only
• Coverage: Full Salesforce monitoring + entire SaaS and AI ecosystem
• Capability: Attack surface hardening, real-time detection, behavioral monitoring, automated response
• Best for: Organizations wanting comprehensive security without Shield investment Shield + Vorlon:

• Cost: Shield + Vorlon subscriptions
• Coverage: Deep Salesforce forensics + ecosystem-wide protection
• Capability: Advanced Salesforce features + Vorlon's correlation engine
• Best for: Enterprises requiring maximum visibility and compliance

The key insight: Vorlon makes every Salesforce security tier more effective by adding the context, automation, and ecosystem-wide visibility that native tools lack. For organizations ready to invest further in Salesforce-native security, Shield provides additional capabilities. However, as the following section explains, even Shield requires ecosystem-wide visibility to address modern threats.

Salesforce Shield: Enhanced Capabilities for Deep Investigation

For organizations that have invested in Salesforce Shield, additional powerful capabilities become available. Shield provides transaction security policies, field audit trails, and extended event monitoring that enhance enterprise security.

 

Maximizing Your Shield Investment with Vorlon

For organizations with Shield, adding Vorlon creates comprehensive protection:

• Shield provides: Deep Salesforce-specific forensics and compliance tools
• Vorlon adds: Ecosystem-wide visibility, behavioral monitoring, and automated cross-platform response
• Together: Complete kill chain visibility from initial compromise through lateral movement

Architectural Considerations

Modern SaaS architectures require security that matches their distributed nature. Whether using Shield or Salesforce's free tier, your security architecture should address:

Data Layer Security
Salesforce holds your CRM data, but that data flows to marketing automation, support systems, and AI tools. Security must follow the data, not just protect individual platforms.

Identity Layer Protection
Both human and non-human identities access Salesforce. Shield monitors Salesforce-specific access; Vorlon tracks those same identities across your entire ecosystem.

Integration Layer Visibility
OAuth tokens, API keys, and service accounts create pathways between Salesforce and other systems. These integration points require continuous monitoring that spans platforms.

Important note: While Shield enhances Salesforce-native capabilities, Vorlon provides substantial security value regardless of your Salesforce tier. Organizations using Salesforce's free security features gain immediate threat detection and response capabilities when adding Vorlon. The architecture that makes sense is one that leverages your existing Salesforce security investment while extending protection across your entire SaaS and AI ecosystem.

The Gaps Salesforce Can't Close

What Security Mesh doesn't solve

Security Mesh promises unified visibility within the Salesforce ecosystem. It's an important step. It's also Salesforce-centric.

Gap 1: Cross-SaaS data flows

Your Salesforce data doesn't stay in Salesforce. According to MuleSoft's 2025 Connectivity Benchmark:

• Enterprises average 1,000+ integration points
• Data replicated across 8-10 platforms
• 40% synchronized in near real-time

Security Mesh sees Salesforce → Slack. It doesn't see Slack → Google Drive → Attacker.

Gap 2: Supply chain visibility

Salesloft/Drift proved once again that SaaS vendors will get compromised and cause massive damage. Security Mesh can't tell you:

• When a vendor's GitHub is breached
• When legitimate OAuth tokens turn malicious
• When third-party apps start behaving abnormally

You need behavioral monitoring of every connected app, not just visibility into Salesforce.

Gap 3: The non-human identity explosion

For a typical enterprise with 3,000 employees:

• Human users: 3,000
• Service accounts: 900
• API keys: 1,800
• AI agents: 1,200
• OAuth tokens: 6,000+
• Total identities: 12,900

Security Mesh tracks human identities, but 77% of your identities aren't human, and they're multiplying rapidly. Also, AI agents have broad permissions, move data autonomously, and operate 24/7 without oversight. For non-human identities, traditional MFA doesn't apply. 

Gap 4: Real-time cross-SaaS/platform response

When Drift was compromised, organizations needed to revoke OAuth tokens across Salesforce, Google, and Zscaler simultaneously. They needed to freeze sessions in multiple platforms, block data exfiltration mid-stream, and preserve forensic evidence everywhere.

Security Mesh helps with Salesforce. What about the other SaaS platforms?

 

How Vorlon’s unified SaaS and AI security platform would have stopped the Salesloft/Drift breach

August 8, 2025, 2:47 AM: Drift token makes first API call from new IP (Tor exit node). Behavioral baseline detects an anomaly. Alert sent.

3:15 AM: Security team reviews alert. Sees Drift accessing Salesforce, Google Workspace, and Zscaler. Confirms abnormal behavior.

3:18 AM: Security team revokes Drift OAuth tokens across all platforms in just a few clicks. Active sessions terminated. Forensic logs preserved.

Result: Breach contained in 31 minutes, not 10 days. Data exfiltration prevented.

This is what ecosystem-wide security delivers. Vorlon would have immediately seen the behavioral change, correlated activity across platforms, and enabled instant response everywhere simultaneously.

 

Chapter 3: Your Strategic Roadmap for Leveling Up Your SaaS and AI Security

The 90-Day Transformation

Phase 1: Foundation (Weeks 1-4)

Week 1: Enable Salesforce free fundamentals

• Force MFA universally (no exceptions)
• Verify September 2025 Connected Apps restrictions are active
• Run Security Health Check (target: 90%+ score)
• Restrict IP ranges to corporate networks

Week 2: OAuth audit

• Export all Connected Apps
• Document the business owner and the justification for each
• Revoke apps that have been inactive for 90+ days, have no clear owner, or have excessive permissions
• Create a quarterly review schedule

Week 3: Data classification

• Identify the top-20 sensitive objects
• Use the free Object Manager classification
• Document where sensitive data flows
• Plan Shield deployment if needed

Week 4: Incident response prep

• Document OAuth token revocation procedures
• Test session freeze capabilities
• Create communication templates
• Establish out-of-band communication channels

Outcome: Free security controls deployed, current risks documented, team aligned.

Phase 2: Enhanced Security (Weeks 5-8)

Week 5: Deploy Shield Event Monitoring. Configure event types, establish behavioral baselines, and, if applicable, integrate with the existing security and ITSM stack.

Week 6: Evaluate SaaS and AI ecosystem security platform. Review Vorlon capabilities, customer references, and ROI calculation. Get budget approval.

Week 7: Deploy Vorlon. Discover all critical SaaS and AI applications and integrations. Connect Shield Event Monitoring. Establish behavioral baselines.

Week 8: Integration and testing. Verify Shield events flowing to Vorlon. Test cross-SaaS correlation. Test OAuth token revocation across SaaS platforms. Update incident response playbooks.

Outcome: Comprehensive visibility across the entire SaaS and AI ecosystem, detection capabilities operational, and response procedures tested.

Phase 3: Optimization (Weeks 9-12)

Week 9: Detection optimization. Review alerts, adjust thresholds, identify coverage gaps, and refine baselines.

Week 10: Response automation. Automate playbooks (suspicious OAuth app, mass data export). Test automated response. Monitor effectiveness.

Week 11: Governance establishment. Document policies, define review schedules, assign ownership, and map controls to compliance requirements.

Week 12: Continuous improvement. Conduct retrospective, analyze metrics (MTTD, MTTR), and plan Security Mesh evaluation (viable for enterprises with large Salesforce security budgets).

Outcome: Optimized detection and response, governance established, and a continuous improvement framework in place.

Phase 4: Accelerating AI agent proliferation

AI agents multiply faster than human users. They have broad permissions, operate autonomously, and don't fall under traditional security controls.

What you need

• Non-human identity discovery (know what you have)
• Behavioral monitoring (know what's normal)
• Automated governance (enforce least privilege)
• Real-time response (stop rogue agents fast)

This is where unified SaaS and AI ecosystem security provides value that Salesforce can't. Vorlon sees AI agents across all your critical apps and integrations, not just Salesforce.

 

The 90-day transformation isn't about perfection. It's about momentum. Week 1 gives immediate risk reduction. Week 8 gives comprehensive visibility. Week 12 and forward provide continuous improvement.

Conclusion: Your Next Move

Salesforce Shield and Vorlon are complementary layers of defense

Shield provides unmatched depth within Salesforce. Vorlon provides unmatched breadth across your SaaS and AI ecosystem. You need both because modern attacks exploit the gaps between platforms.

Platform-specific security (Shield):

• Depth: Exceptional within Salesforce (transaction blocking, comprehensive audit)
• Breadth: Limited to Salesforce boundaries
• Context: Salesforce-only activity patterns
• Response: Salesforce-only controls (freeze user, block transaction, revoke session)

SaaS and AI ecosystem security (Vorlon):

• Depth: Behavioral analysis across all platforms (baselines, anomaly detection, correlation)
• Breadth: All connected SaaS applications in your environment
• Context: Cross-platform activity correlation (sees the whole attack chain)
• Response: Unified containment everywhere (revoke OAuth tokens across all platforms simultaneously)

The choice is clear

ShinyHunters and Salesloft/Drift proved that individual SaaS-specific security isn't enough. They exploited the security gaps between SaaS apps, the trust in OAuth tokens, and the lack of behavioral monitoring.
Salesforce responded with the September 2025 Connected Apps change and Security Mesh. Important steps. They address part of the problem.
But only part.

 

You need three things:

1. SaaS-specific controls where excellent
   Shield for Salesforce offers capabilities you can't get anywhere else. Transaction monitoring, comprehensive audit trails. Excellence worth paying for.
2. Ecosystem-wide visibility everywhere
   Vorlon for your other critical SaaS apps provides Shield-like protection at a fraction of the cost. OAuth monitoring, data flow tracking, non-human identity discovery, and supply chain security.
3. The ability to act instantly
   Automated response across all platforms. Revoke tokens in just a few clicks. Cross-SaaS session termination. Forensic evidence preservation everywhere.

The bottom line

Attackers aren't waiting. ShinyHunters compromised 100+ enterprises in weeks. Salesloft/Drift affected 700+ organizations in 10 days.The question isn't whether you need ecosystem-wide SaaS and AI security. The question is whether you'll implement it before attackers find the gaps you've left open.

See how Vorlon complements your Salesforce security investments.

We'll show you your current OAuth exposure across all platforms, hidden non-human identities in your environment, how we would have detected ShinyHunters and Salesloft/Drift in your org, and rapid containment capabilities.

 

 

About the authors

Adam Burt, Head of Research
Adam Burt is the Head of Research at Vorlon, a cybersecurity company that helps enterprises secure sensitive data across their SaaS and AI ecosystem. Adam brings over 24 years of experience in cybersecurity across malware analysis, digital forensics, reverse engineering, and security architecture. Before joining Vorlon, he led a team of Solution Architects at Palo Alto Networks, focusing on security and automation. Adam has held technical and leadership roles at companies like Symantec, Fidelis Cybersecurity, and NTT, working across industries to help organizations strengthen their security posture. He holds multiple certifications, including CISSP, GCFE, CSTP, and CCSK, and has contributed to research on network vulnerabilities, malware obfuscation, and threat detection associated with some of the largest data breaches.

Elias Terman, VP of Marketing
Elias Terman is VP of Marketing at Vorlon, a cybersecurity company that helps enterprises secure sensitive data across their SaaS and AI ecosystem. Elias has fifteen years of experience leading marketing teams at cybersecurity startups. Before Vorlon, he was CMO-in-Residence at YL Ventures, helping the firm’s portfolio companies accelerate revenue growth. As CMO at Uptycs, he drove the company’s market transition from an endpoint detection and response company to a hybrid cloud security vendor. He was Orca Security’s first marketing hire, leading the company’s marketing efforts from its seed stage through its emergence as a unicorn cloud security leader. Before Orca, Elias ran marketing at Integris Software, a data discovery and privacy automation firm acquired by OneTrust. At Distil Networks, he drove the creation of the Bot Mitigation category, which led to its acquisition by Imperva. He also built out the marketing and business development teams at OneLogin, an Identity and Access Management pioneer.