Salesforce is facing a wave of lawsuits in the wake of a cyberattack that exposed customer data.
The claims were all filed in Northern California, where Salesforce is headquartered, over the past five weeks and suggest that the SaaS CRM vendor fell short on security. The complaints, many of which aim for class action status, allege that the personal information of the complainants stolen in the attack is making them targets for identity theft.
Salesforce has denied that the security breaches were a result of any shortcomings in its systems. In its public notices, the company has said that its platform was not compromised.
From May through summer, a number of Salesforce-related breaches came to light in which attackers stole OAuth tokens from the third-party Salesloft Drift app. Google Threat Intelligence Group later confirmed the attacks.
The Register has viewed 15 filings of cases against Salesforce and its users by individuals including those launching class actions.
For example, a suit led by Staci Johnson [PDF] accuses Salesforce of failing to properly secure her personally identifiable information (PII) in connection with a data breach in July 2025. The claim calls for Salesforce to “disclose the nature of the information that has been compromised and to adopt sufficient security practices and safeguards to prevent incidents… in the future.”
The claim says the breach was a “direct result” of Salesforce’s “failure to implement adequate and reasonable cybersecurity procedures and protocols” necessary to protect individuals’ PII.
It says that victims of the attack “must now closely monitor their financial accounts and credit reports to guard against future identity theft and fraud” while some have “suffered numerous actual and concrete injuries as a direct result of the data breach.”
Johnson also seeks compensation and injunctive relief to improve Salesforce’s system security.
A number of the filings mention joint defendants including Salesforce customers TransUnion, Allianz Life Insurance, Farmers Insurance, Workday, and Pandora Jewelry.
In August, consumer credit reporting biz TransUnion said it had suffered a breach affecting nearly 4.5 million individuals, but did not say whether it was in connection with Salesforce’s tech. Similarly, Farmers Insurance said a million customers had personal data compromised after a third-party vendor was attacked, but did not name the CRM vendor.
The Johnson filing alleges that, in July, an unauthorized third party gained access to Salesforce’s system by first breaching the GitHub of Salesloft, a third-party sales engagement platform in March 2025. “Salesloft’s Drift platform is a tool that integrates with Salesforce. The breach of Salesloft’s GitHub led to the theft of Drift OAuth tokens that were later used to gain access to Salesforce data,” according to the complaint.
At the time, Salesloft said: “Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.”
We have asked Salesforce for comment and will update this article if we receive a response.
In an earlier statement to the media, it said Salesforce’s Trust page describes steps companies can take to protect customer data. It denied, however, that its own technology was compromised during the attacks. ®