Another major Salesforce customer has been targeted in a cyberattack.
Farmers Insurance, a U.S.-based insurance provider, has been the victim of a significant data breach that has affected 1.1 million customers.
In an announcement on the company’s website, Farmers Insurance confirmed that in May, an “unauthorized actor” gained access to a third-party database that contained sensitive customer information.
This included names, addresses, birth dates, driver’s license information, and fragments of Social Security numbers.
The notification stated:
After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the incident and notified appropriate law enforcement authorities.
On August 22, the company began informing those affected, disclosing to regulators that 1,111,386 were impacted in total.
While the insurance firm has not revealed the name of the third-party vendor that was targeted, Bleeping Computer is reporting that it was Salesforce.
Indeed, Farmers Insurance is the latest in a growing list of high-profile Salesforce customers that are believed to have been attacked by the ShinyHunters in association with Scattered Spider, a pair of cybercrime groups that frequently collaborate to infiltrate and extort organizations.
In a statement released to Bleeping Computer, ShintHunters claimed responsibility for the Farmers breach, claiming that “ShinyHunters and Scattered Spider are one and the same.
“They [Scattered Spider] provide us with initial access, and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake.”
The latest attack follows a similar incident from earlier this month, in which the same group of hackers managed to access over 2.5 million customer data records from a Google corporate database run by Salesforce.
Although it has not been officially confirmed, there are strong suggestions that the third-party CRM system that was targeted in the recent Workday breach was also run by Salesforce.
It appears that ShinyHunters has made a concerted effort to target Salesforce users in recent months.
As well as Google and Workday, the campaign has also impacted the likes of Qantas, Allianz Life, and Adidas.
In order to infiltrate Salesforce’s systems, the attackers utilize social engineering, a scam that involves tricking staff into approving a rogue OAuth app that opens the door to Salesforce data.
From there, customer records can be queried and siphoned out. Given the sheer volume of sensitive data they hold, CRM systems are a very popular target for this type of attack.
How Businesses Can Defend Against CRM Breaches
The Farmers Insurance breach underlines the uncomfortable truth that even the most trusted enterprise systems are only as strong as the people and processes around them.
Social engineering, rather than a technical exploit, was once again the attackers’ weapon of choice.
In a LinkedIn post, Cybersecurity professional Glenn Haggard explained that the Farmers Insurance breach “serves as a stark reminder that your supply chain constitutes a significant part of your vulnerability to cyber attacks.
Increasingly, threat actors target vulnerabilities in vendor systems.
With organizations more dependent on sprawling SaaS platforms and vendor ecosystems than ever, that risk surface is only widening.
Robust vetting is no longer enough; companies need ongoing scrutiny of how third-party connections are secured and monitored.
The scale of the Farmers breach also struck a chord with Richard Chetory, Cybersecurity Strategy and Business Growth Leader at CGI, who highlighted the broader implications:
“If sharing vendors/CRM integrations, request confirmation of isolation, token rotation, and IP allowlists; review data minimization.”
He also advised organizations to “monitor for fraud on affected datasets; prepare comms/FAQ and regulator notifications where applicable.”
CRMs hold enormous volumes of sensitive data, making them prime targets for groups like ShinyHunters.
That reality demands more than baseline compliance; it calls for constant vigilance.
While this may feel like something of an uphill battle, practical steps do exist.
Tom Infante, Director of Consulting Insurance (Technology & Managed Services) for CGI, emphasized the importance of proactive security measures in a LinkedIn post, writing:
“Vendor Risk Management is Non-Negotiable → You’re only as secure as your weakest partner.
“Zero-Trust Security Models need to become the standard, not the exception. Incident Response Readiness is critical — speed of detection and transparency are now brand differentiators.”
Because attackers are exploiting people, not just systems, security awareness has to be treated as an ongoing discipline.
Ultimately, the lesson is straightforward but uncomfortable: the technology itself can be resilient, but the processes and people around it are where attackers strike.
Closing those gaps is now essential if businesses are to protect both their data and their customers’ trust.
