Blog Data Security

Anatomy of a Salesforce Data Breach: Stopping User Impersonation

How a bad actor systematically impersonates users to exfiltrate millions of Salesforce records.
Nolan Necoechea
3 min read
Last updated August 27, 2025
Salesforce breach story

Contents

    A bad actor impersonating users is incredibly difficult to detect in Salesforce. Once a bad actor gains legitimate credentials, they can impersonate admins, access sensitive data, and exfiltrate it — often without raising alarms. 

    By switching between user identities, attackers can blend into the noise of large organizations. With complex hierarchies of profiles, permission sets, roles, and system permissions, these attacks are hard to pinpoint and prevent in Salesforce. 

    In this article, we’ll break down a real-world impersonation attack that led to the exfiltration of millions of records and how you can prevent user impersonation attacks. 

    Anatomy of the breach 

    A large multinational organization approached us after discovering that millions of records had been exfiltrated from their Salesforce CRM. After an in-depth investigation, we determined how the bad actor managed to get away unnoticed. 

    Here’s how the breach unfolded: 

    • A former employee, familiar with the organization’s Salesforce environment, convinced the help desk to reset their password. 
    • Once reset, they unfroze their account, regaining all previous permissions. They then escalated their permission to super admin. 
    • Once they had super admin privileges, they began systematically impersonating users and searching for sensitive data. 
    • At a glance, these sessions appeared routine. Without close scrutiny, the sessions looked like routine IT support activities, but the frequency and timing raised red flags during our risk assessment. 
    • Finally, the attacker used an unsecured third-party app to exfiltrate millions of records undetected. 

    Diagnosing Salesforce data risk 

    With more than a million users, this environment was inherently difficult to manage, but some avoidable key risks contributed to the data breach.  

    Here’s what we uncovered: 

    1. Frozen accounts with admin rights

    The organization had more than 600 super admin accounts, many of which were frozen. Yet those frozen accounts still retained full permissions. In Salesforce, freezing an account doesn’t remove its permissions. If reactivated, the account regains all prior access. 

    This creates a significant risk. Threat actors like Scattered Spider use social engineering to convince help desks to reset passwords and MFA, reactivating frozen accounts with intact privileges. 

    2. Stale app assignments

    The organization had dozens of stale app assignments. These stale app assignments often retain OAuth tokens and permissions, creating a backdoor for attackers or malicious insiders to access and exfiltrate sensitive data. 

    3. Production data in a sandbox environment

    Perhaps the most alarming issue is that this organization’s production data was being synced with a massive sandbox environment. Sandboxes typically lack the strict controls of production environments, creating a dangerous mix of sensitive data and weaker access controls. 

    Automatically remediate user risk with Varonis for Salesforce.
    Learn more
    VaronisCloud@2x

    How to prevent user impersonation in Salesforce 

    While user impersonation is difficult to spot, this breach was preventable. Here’s how to close the gaps: 

    Remove unused permissions 

    Audit and eliminate permissions that are no longer needed. When freezing an account, remove its permissions to reduce the attack surface and simplify audits. Regular reviews help enforce least privilege

    Revoke stale app assignments 

    Audit third-party app access and remove assignments that are no longer relevant. This eliminates unnecessary exposure and reduces the risk of data exfiltration through forgotten integrations. 

    Separate production and sandbox data 

    Best practice is not to sync production data into sandbox environments. Keep environments isolated to prevent accidental exposure and maintain stronger access controls. 

    How Varonis Helps 

    The recommendation above can be challenging to implement, especially in a large organization. Varonis provides the most complete Salesforce security solution available for eliminating risk and detecting threats with automated remediations to ensure that security and threat detection scale.  

    Right-size permissions 

    Varonis shows you each user’s effective permissions and how they got them with automated remediation, like removing permissions from frozen or stale accounts. 

    Manage third-party app risk 

    Varonis discovers all connected third-party apps, evaluates their risk, and monitors their activity. It can automatically remove unsanctioned or unused app connections. 

    Detect anomalous activity 

    Varonis proactively monitors Salesforce and your broader data estate for suspicious behavior, including privilege escalation, mass object access, and data exfiltration. Varonis correlates identities across apps to surface threats like a user logging in via Okta, accessing Salesforce, and emailing data to a personal account. 

    Try Varonis for Salesforce 

    To protect your sensitive data, you need to know where it lives, who can access it, and what they’re doing with it. Only Varonis brings all of this together in one platform. 

    Varonis protects Salesforce and other SaaS apps, cloud, and on-premises data. 

    Interested in uncovering what risks lie in your Salesforce environment? Start a Free Data Risk Assessment today. 

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Nolan Necoechea
    Nolan Necoechea Nolan Necoechea is a product marketing strategist at Varonis. He has spent more than a decade working with data and AI innovators.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    why-data-centric-security-is-important-for-the-dod
    Why Data-Centric Security is Important for the DoD
    why-data-centric-security-is-important-for-the-dod
    Patrick Long
    August 18, 2025
    Learn how Varonis protects DoD environments by utilizing various approaches to secure sensitive data.
    varonis-incident-response:-stopping-microsoft-365-direct-send-abuse 
    Varonis Incident Response: Stopping Microsoft 365 Direct Send Abuse 
    varonis-incident-response:-stopping-microsoft-365-direct-send-abuse 
    Brian Walsh
    August 5, 2025
    Learn how Varonis Threat Labs uncovered a critical Microsoft 365 Direct Send exploit, and how organizations leveraged Varonis Incident Response to protect themselves from attack. 
    creating-custom-gpts-and-agents-that-balance-security-and-productivity
    Creating Custom GPTs and Agents That Balance Security and Productivity
    creating-custom-gpts-and-agents-that-balance-security-and-productivity
    Jonathan Villa
    July 17, 2025
    Custom GPTs and AI agents compound productivity, but with that comes added risk. Learn about ChatGPT's custom GPTs and how to build them with data security in mind.