One Click, No Malware: How a Fake Salesforce App Breached Google and 30+ Global Brands

The Salesforce data theft campaign proves attackers no longer need malware; they just need a user to click "Allow."

In July 2025, Google confirmed that attackers breached one of its Salesforce CRM instances by compromising a third-party contractor’s credentials. This access exposed business contact information for small and medium-sized Google Cloud customers. The breach was not due to a vulnerability in Salesforce or any malicious code.

It started with a fake app and a single OAuth token.

The Breach That Started With “Allow”

According to public reports, a financially motivated threat group known as UNC6040—linked to the ShinyHunters extortion operation—used consent phishing to compromise user accounts. Employees at Google’s vendor and other organizations were tricked into installing a malicious app impersonating Salesforce’s legitimate Data Loader.

Once the user clicked “Allow” in a standard OAuth flow, Salesforce issued a valid access token. That token granted full API-level access to CRM data.

No malware. No exploit. Just OAuth abuse through user consent.

The breach impacted organizations with mature security programs, highlighting the dangers of one high-risk OAuth grant likely approved with IT knowledge.  

Related: How to manage risky OAuth permissions

More than three dozen organizations were reportedly affected, including Adidas, Qantas, Allianz, LVMH, Cisco, and Chanel. In many cases, the breach wasn’t discovered until weeks or months later, when attackers issued extortion demands.

Why Most Security Tools Miss OAuth Abuse

OAuth flows occur inside SaaS app UIs. That means:

• No endpoint agents see them

• No network traffic flags them

• No traditional SIEM logs track them

Organizations often have no visibility into:

• What SaaS apps users authorize

• What permissions those apps request

• Which users bypass SSO controls

• How issued tokens are later used or abused

Without a purpose-built SaaS identity layer, the attack surface remains invisible.

How Grip Could Have Prevented This Breach

Grip Security provides real-time visibility and control over SaaS identity risks like OAuth abuse and consent phishing. Here’s how Grip addresses every layer of this breach.

OAuth Detection & Governance

Grip continuously monitors connected apps (like Salesforce), flagging:

• Unknown or unverified publishers

• Excessive or risky OAuth scopes

• First-time app authorizations

• Abnormal consent patterns

Security teams get full insight into who approved what, when, and with which access level.

Shadow App & Tenant Discovery

Grip detects shadow Salesforce tenants and unmanaged SaaS environments, including duplicative or orphaned instances that are often overlooked. This reveals identity sprawl and potential attacker entry points.

SSPM for Salesforce

Grip delivers continuous SaaS Security Posture Management (SSPM) checks across:

• Over-permissioned user accounts

• Inactive users retaining access

• Dangerous configuration drift (e.g., session timeouts, token persistence)

• Third-party integrations with broad scope access

Grip helps fix posture gaps before attackers find them.

Credential & Password Hygiene

Grip detects reused, weak, or unmanaged credentials across both managed and shadow apps, even where SSO isn’t enforced. This prevents attackers from exploiting poor hygiene across OAuth and non-OAuth logins.

Real-Time SaaS ITDR (via Browser Extension)

Grip delivers Identity Threat Detection & Response (ITDR) at the moment of user interaction:

• Flags consent phishing attempts

• Detects risky OAuth scopes

• Identifies SSO bypasses

• Catches lateral OAuth movement

• Monitors abnormal API usage in real time

• Unlike delayed log-based solutions, Grip provides instant detection and response.

What This Breach Really Shows Us

The attackers didn’t bypass defenses. They used the platform as designed.

They relied on trust.

A trusted brand. A familiar workflow. A user clicks “Allow” without realizing the consequences.

This breach didn’t start with malware.

It started with an OAuth token issued through a legitimate process. And without SaaS identity visibility, you won’t see it coming either.

SaaS Security Can’t Be Optional

Grip gives you:

• Full visibility into OAuth activity and token usage

• Real-time identity threat detection

• Contextual guidance for response and remediation

• Continuous SaaS posture hardening for business-critical apps like Salesforce

• A browser-native ITDR layer that sees what others miss

In SaaS, the most dangerous breaches start with a trusted user, a lookalike app, and one overlooked decision. Grip helps you detect, understand, and shut it down before the data leaves your environment.

Want to understand your SaaS identity risk?

Download our free guide, Getting Started with SaaS Security, or book a 20-minute demo to see how Grip gives you control over the modern identity perimeter.