Cyberside Chats: Cybersecurity Insights from the Experts

The CRM Goldmine: Inside the Salesforce Breach Wave


Listen Later

It started with a phone call. No malware, no zero-day — just someone talking a Charter worker out of their login. Months later, 4.9 million customer records surfaced on a leak site, pulled from the company's Salesforce instance.

The CRM has become the richest target in enterprise security. Sherri and Matt break down why, and walk through three cases: Charter, where one vished login reached everything; the Salesloft Drift and Gainsight chain, where one stolen token unlocked the next breach and the next; and the Salesforce "Aura" campaign, where misconfigured guest accounts exposed hundreds of organizations — including, ironically, identity-protection company Aura. The throughline: Salesforce wasn't breached, the tenants were — and in every case, nobody was watching the data leave.

 

Key Takeaways

1. Govern your CRM as carefully as your email and file storage. You already wrap M365 or Google Workspace in conditional access, audit logs, and DLP. Your CRM holds data just as sensitive — give it the same controls.

2. Lock down who can log in. Enforce phishing-resistant MFA and verify identity before granting access — almost every CRM breach this year started with one compromised or socially-engineered login.

3. Least privilege limits the blast radius. One identity should never reach the entire instance, and a guest user should never touch live records. Provision for the job, not for convenience.

4. Inventory your connected apps and OAuth tokens, and revoke the ones that don't need access or can't be accounted for. Your perimeter now includes software you didn't write; a forgotten token walks straight past MFA and SSO.

5. Watch the exits, not just the entrance. Someone will always get in. Set export caps, alert on anomalous volume, and turn on the SaaS DLP you already own — almost nobody does.

 

Resources

1. Charter Communications data breach affects 4.9 million accounts — BleepingComputer's report on the Have I Been Pwned-verified count, including the 85,000 employee records. https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/

2. Charter confirms data breach after ShinyHunters extortion threat — The confirmation, the vishing-to-Entra-to-Salesforce attack path, and Charter's "no sensitive data" statement. https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/

3. ShinyHunters claims ongoing Salesforce Aura data theft attacks — The Experience Cloud guest-user campaign, the weaponized AuraInspector tool, and the 2,000-record bypass. https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/

4. Aura breach confirmed as over 900,000 customer records accessed — The identity-protection company caught in the Salesforce "Aura" campaign. https://www.techradar.com/pro/security/aura-breach-confirmed-as-over-900-000-customer-records-accessed-in-phishing-attack

5. Salesforce — Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access — The vendor advisory with the concrete hardening steps (guest permissions, "API Enabled," org-wide defaults). https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/

 

...more
View all episodesView all episodes
Download on the App Store

Cyberside Chats: Cybersecurity Insights from the ExpertsBy Chatcyberside

  • 5
  • 5
  • 5
  • 5
  • 5

5

2 ratings


More shows like Cyberside Chats: Cybersecurity Insights from the Experts

View all
No Agenda Show by Adam Curry & John C. Dvorak

No Agenda Show

5,918 Listeners

Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec by Jerry Bell and Andrew Kalat

Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

369 Listeners

The DSR Network by The DSR Network

The DSR Network

1,795 Listeners

Conspirituality by Derek Beres, Matthew Remski, Julian Walker

Conspirituality

2,068 Listeners

Omnishambles by Virginia Heffernan and Cy Canterel

Omnishambles

64 Listeners