I have recently noticed a trend with a few of the service providers that I support. I am having a lot more conversations around Veeam Data Cloud Backup for Salesforce. And it’s not just conversations; it’s demos and POCs that are turning into closed opportunities.
I started to do some research on the uptick of attacks against Salesforce. I found that large-scale campaigns over the past 12–18 months have been accelerating, as reported by Security Week. While Salesforce itself is highly secure from a platform standpoint, attackers are no longer trying to come in through the front door.
This got me thinking, and I asked myself: why is Salesforce an attractive target for bad actors?
Salesforce contains high-value CRM data such as customer data, deals, and PII (names, emails, phone numbers), revenue data (opportunities, pipeline, contracts), business relationships (accounts, contacts, partners), integrated credentials (API keys, tokens, cloud access), and is highly connected via APIs and third-party apps. It also often has broad user permissions and OAuth tokens.
Salesforce is no longer a secondary target—it’s now part of ongoing, organized cybercrime campaigns.
The data shows a clear trend, and these attacks are increasing. Some examples:
Recent incidents across 2025 and into 2026 show a pattern that’s hard to ignore:
- A massive OAuth token compromise campaign impacted 700+ organizations, allowing attackers to access Salesforce data without triggering MFA protection.
- A separate Gainsight integration breach affected 200+ Salesforce customers, exposing sensitive CRM data through third-party apps.
- Threat actors have claimed access to hundreds of millions to over a billion Salesforce-related records, using them for extortion campaigns:
https://www.valencesecurity.com/resources/blogs/salesforce-oauth-token-breach-what-every-security-team-must-know?utm_source=chatgpt.com
High-profile organizations (Qantas, Google, Cisco, Workday, and others) have all been impacted through Salesforce-connected environments.
In one campaign, attackers didn’t just steal CRM data—they also extracted:
- AWS credentials
- Snowflake access
- Other cloud secrets embedded in Salesforce records
This turns a Salesforce breach into a multi-platform compromise.
Even more telling: these incidents are not isolated. They are part of a coordinated and evolving attack pattern targeting SaaS ecosystems at scale.
If you think about the risk within a Salesforce environment, it is not the platform itself—it’s the ecosystem around it. When we look at real-world incidents, all the breaches have stemmed from things outside of the Salesforce infrastructure. The bad actors are using phishing and other forms of social engineering, leveraging compromised OAuth tokens to gain persistent access and taking advantage of trusted third-party applications and integrations that often use broad permissions.
Just last week, I received an authentication code for my work email for Salesforce that I did not request. Keep this in mind: the attack surface is not Salesforce itself—it’s everything connected to it.
The biggest misconception is that Salesforce itself is being “hacked.” But the truth is that almost every breach shares the same root cause.
Breaches are typically caused by:
- Phishing / social engineering
- Compromised OAuth tokens
- Third-party apps / integrations
- Misconfigurations
Compromised OAuth Tokens: Bad actors are stealing OAuth tokens from trusted integrations, allowing them to bypass MFA entirely, maintain persistent access, and operate as a trusted application.
Modern Salesforce applications rely heavily on third-party applications such as AppExchange apps, custom integrations, and API-connected services. Each one introduces a new risk.
In other situations, the actors used social engineering and misconfigurations such as phishing campaigns, fake versions of real tools, and misconfigured public-facing Salesforce components.
Did you know that it takes an organization 194 days to identify a breach?
This means that the data has most likely already been exfiltrated and ransomware demands may have already started before you even know your data is compromised.
Just like other SaaS models, Salesforce has a shared responsibility model. When you combine this with API-based access, third-party integrations, and human error, you are at real risk of permanent data loss or even extortion exposure.
The takeaway is clear: you cannot rely on Salesforce native security by itself to protect your data. Salesforce protects the platform. You are responsible for your data and the integration points. And the bad actors know exactly where this gap is and exploit it.
At this point, backup and recovery of your Salesforce data is no longer optional—it’s critical.
Native Salesforce recovery is not enough. Point-in-time recovery, rapid restoration after data deletion or corruption, and protection against malicious data exfiltration are all essential. If these bad actors delete your data, encrypt it, or manipulate it, you will need a clean, isolated copy to recover from.
Now that you have had a chance to digest why it’s important to have a backup of your Salesforce data, let’s talk about Veeam Data Cloud Backup for Salesforce.
VDC for Salesforce is a purpose-built solution. It’s a modern backup and recovery platform for Salesforce.
It provides immutable backups (protecting against tampering and deletion), granular recovery (restoring individual records, objects, or entire orgs), independent storage (separate from Salesforce and its integrations), and fast recovery at scale to minimize business impact.
Veeam Data Cloud for Salesforce is designed specifically for this new threat model—where the risk isn’t just downtime, but data integrity and exposure.
The Risk Has Shifted – Has Your Strategy?
Remember, the biggest risk today is not Salesforce itself—it’s everything connected to it.
The bad guys have figured out:
- It’s easier to compromise trust than break security
- It’s more profitable to steal data than encrypt it
- SaaS ecosystems offer exponential scale
The organizations that adapt will treat Salesforce data like any other critical workload:
Protected, backed up, and recoverable—no matter what happens in the ecosystem around it.
https://helpcenter.veeam.com/docs/vdc/userguide/sf_backup.html
