Farmers Insurance Breach: A New Chapter in Salesforce-Targeted Attacks

Earlier this month, we wrote about the Salesloft Drift exposure, where attackers exploited OAuth tokens and integrations to gain unauthorized access to Salesforce environments. That incident was an early warning of a broader campaign. Now, with Farmers Insurance disclosing a breach affecting more than 1.1 million customers, it’s clear these attacks are escalating - and continues to highlight that enterprises must treat third-party integrations as part of their own security surface.

What Do We Know Happened

The breach at Farmers Insurance was not a direct compromise of its core infrastructure. Instead, attackers infiltrated a third-party vendor’s Salesforce environment, exfiltrating sensitive customer data. Farmers confirmed the exposure impacted over 1,071,000 customers, with additional records from Farmers New World Life Insurance Company also affected.

The stolen data included personally identifiable information (PII) such as names, addresses, dates of birth, Social Security numbers, and financial account details. For life insurance policyholders, the breach extended to health information, prescriptions, usernames, and security questions.

As with the Salesloft Drift incident, attackers used social engineering - specifically voice phishing (vishing) - to trick employees into authorizing malicious apps in Salesforce. Once an OAuth app was linked, attackers gained broad access and exfiltrated sensitive records.

‍Timeline of Events

• At Farmers Insurance, attackers gained access on May 29, 2025, but customers were not notified until August 22, 2025.
  
  
• That’s nearly 85–90 days between initial intrusion and broad disclosure.
  
  
• During that window, attackers had already mapped the environment, exfiltrated sensitive data, and created a large blast radius of potential exposure.
  
  

This timeline is not unique. It reflects the reality of modern SaaS environments:

• It takes time to determine what data was accessed across integrated systems.
  
  
• Third-party vendors complicate response, as investigations require coordination across multiple organizations.
  
  
• Visibility gaps delay answers to critical questions: What data was touched? Who had access? How far did it spread?‍

Impact and Consequences‍

The scale of this breach is significant:

• Over 1.1 million individuals impacted, including sensitive financial and health-related data.
  
  
• Heightened risk of identity theft and fraud due to exposed PII, Social Security numbers, and financial details.
  
  
• Legal action and investigations underway, with multiple law firms preparing potential class-action suits.
  
  
• Erosion of trust and compliance challenges, even though the compromise originated with a vendor, not Farmers itself.
  
  

Just as importantly, this incident confirms that the Salesloft Drift compromise was not an isolated event but part of a coordinated campaign targeting Salesforce users across industries.

What Organizations Can Learn

These two incidents - Salesloft Drift and Farmers Insurance - taken together, highlight several lessons for organizations:

1. Third parties expand your attack surface – Security responsibility doesn’t stop at your own environment. Vendor risk is business risk.
   
   
2. Social engineering bypasses controls – Attackers don’t always break in; sometimes they convince employees to let them in.
   
   
3. OAuth integrations continues to need oversight – Once connected, malicious apps can operate invisibly with legitimate permissions.
   
   
4. Data minimization reduces exposure – Sensitive information like credentials, secrets, or health data should never be stored in CRM systems where attackers can access them.

What Companies Should Do

To reduce exposure to these evolving threats, organizations should:

• Audit Salesforce integrations regularly and remove unused or suspicious apps.
  
  
• Train employees against vishing and app authorization scams, not just phishing emails.
  
  
• Enforce least privilege access to ensure sensitive data isn’t overshared.
  
  
• Work closely with vendors to confirm they uphold the leading  security practices 
  ‍
• Continuously monitor data flows across Salesforce and connected systems to catch risks early.
  
  

How Cyera Can Help

Cyera helps organizations take these best practices from principle to practice by providing visibility into sensitive data stored in Salesforce environments. Specifically, Cyera can:

• Identify secrets and credentials that should not be stored in Salesforce records.
  
  
• Map who and what integrations have access to sensitive data, surfacing over-permissive risks.
  
  
• Highlight unnecessary data exposure across users, groups, and third-party apps.
  
  
• Inform proactive remediation, so security teams can remove sensitive data from risky locations and reduce attackers’ leverage.
  
  

Cyera does not replace identity or integration controls, but it complements them with data-centric visibility. That means if a vendor or integration is compromised, organizations have already reduced the sensitive data at risk and are equipped to respond more effectively.

Conclusion

The Farmers Insurance breach illustrates that the Salesloft Drift exposure was just the beginning. We are now witnessing a pivot from traditional credential compromise to  an ongoing campaign where attackers exploit integrations and human trust to target Salesforce environments across industries.

The lesson for enterprises is clear: SaaS platforms and their integrations demand the same level of scrutiny as core infrastructure. By combining visibility into sensitive data , with strong identity, and vendor management, organizations can limit exposure and strengthen their resilience against this growing class of threats.

Cyera Research Labs will continue tracking this campaign as it evolves, connecting the dots across incidents so that security teams can stay informed - and better prepared.

‍