Since Salesforce’s March advisory on Connected App risk, and the UNC6040 disclosures in June, the list of impacted companies has grown, with incidents at some of the world's largest brands like Chanel, Google, and Cisco. The pattern continues: bad actors target Salesforce customers, convince employees to authorize a “legit” app, and data is stolen. If world-class teams are getting hit, the risk is real for everyone else. Taken from our recent webinar, we'll explain what to watch for, the essential steps every org should implement today, and how to close the gaps that “the basics” don't cover.

1: Why these Salesforce breaches will continue to happen

— Jack McGlinchey, CEO & Co-founder, Arovy

It’s troubling that so many people dismiss these breaches as a result of “fools.” The reality is quite the opposite. These are intelligent teams, trusted with highly technical responsibilities.

Did they make mistakes or fail to follow protocol? Almost certainly. But when you look at the scale of what’s happening, with global brands like Google, Cisco, Chanel, and Pandora all impacted, it’s clear this isn’t about incompetence. Even the most capable people can have moments of weakness. That’s human. And that’s exactly why Information Security exists: to provide the guardrails and protections that catch those moments before they turn into costly incidents.

Due to the gap between Salesforce and InfoSec, current processes rarely include robust verification, leaving gaps that attackers can exploit.  To close the gap, organizations need better insights, continuous observability, and stronger monitoring to keep these risks in check.

Strategic Takeaway
Vishing and phishing attacks target smart people under pressure; build guardrails that assume brief human mistakes will happen.

Strategic Impact

• Shifts culture from blame to prevention

• Prioritizes controls that reduce a single point of failure 

• Improves leadership buy-in for process and tooling

2: Start with the minimum Your first move—audit Connected Apps (Connected Apps OAuth Usage)

One of the most important steps Salesforce teams can take is to regularly check the Connected Apps OAuth Usage page in Setup. This is the central hub where every application connected to Salesforce is listed, along with details on who connected them. Yet, many organizations go months without ever reviewing it. Ignoring this page leaves blind spots that attackers can exploit. By auditing the list, identifying apps you don’t recognize, and questioning why they’re connected, you take back control of your Salesforce environment. This isn’t just a nice-to-have—it’s a responsibility that every Salesforce team should treat as an ongoing priority.

Strategic Takeaway
Review Setup → Connected Apps OAuth Usage on a cadence; identify every app, who connected it, last use, and scopes.

Strategic Impact

• Surfaces unknown or stale integrations quickly

• Enables least-privilege scope cleanup 

• Shrinks your attack surface without slowing critical tools

3: Admins remain a single point of failure

 

 

Even with every recommended Salesforce control in place (VPNs, allowlisted IPs, and all the out-of-the-box safeguards), your admin can still be a single point of failure. In fact, one of the major connected app breaches tied directly back to an admin account. It’s easy to think, “My admin is smarter than that, this could never happen here,” but I can guarantee that team believed the same thing before they were compromised. The reality is that admins have the ability to bypass many controls, including through powerful permissions like “Use Any API Client,” which can override key configurations. At the end of the day, unless you have the right visibility and checks in place, the admin role itself remains a critical vulnerability.

Strategic Takeaway
Treat admin as high-risk; gate powerful permissions (e.g., Use Any API Client), and time-box elevation.

Strategic Impact

• Reduces blast radius if an admin account is tricked or abused

• Forces approvals and logging for sensitive actions

• Aligns InfoSec and Salesforce on real-world risk, not checkbox controls

4: Do you know what apps have access to your sensitive Salesforce data?

If a third-party app connected to Salesforce is compromised and not properly locked down, your data is immediately at risk. Think about tools like marketing automation platforms. If one of them gets hacked, attackers can steal your tokens and use them to exfiltrate everything from your Salesforce environment.

And here’s the critical piece: most teams don’t fully understand what data these apps can actually access.

Too often, apps are granted broad permissions far beyond what they truly need. That unnecessary access becomes an open door for attackers. The only way to reduce that risk is to regularly review which apps are connected, audit their scopes and permissions, and lock them down to the minimum access required. Because if a breach happens, it won’t just be the vendor’s problem—it will be your data, your exposure, and your company in the news.

Strategic Takeaway
Assume “their breach becomes your breach” via OAuth tokens; lock down scopes and rotate credentials.

Strategic Impact

• Enforces least-privilege across vendors and tools

• Adds token rotation and offboarding to integration hygiene

• Lowers the chance a downstream vendor incident turns into full data exfiltration

What to do now (practical checklist)

1. The Basics: Salesforce native controls

• Review / audit Connected Apps.

  • Install only the apps you recognize and need (consider App Policies).

  • Block the ones you don’t.

• Enable API Access Control (valuable, but expect real effort).

• If you can: Enable & enforce MFA.

• If you can: Set login IP ranges and allowlist IPs

2. Monitoring & detection

• Event Monitoring: recommended to purchase and use for ongoing visibility.

3. Go Beyond the "Basics" – Close the gaps

• Admin is still a single point of failure.

  • Treat admin as high-risk; constrain usage and approvals.

• Once an app is connected/approved, it carries its own risks.

  • Watch for over-privileged users and permission drift.

  • Account for compromised third-party apps.

  • Control ops overhead and watch out for:

    • The “Use Any API Client” permission.

    • People bypassing process for “urgent requests.”

How Arovy stops these attacks:

• Observability & Monitoring:

  • Real-time monitoring & alerts, powered by Event Monitoring, for the most important changes delivered to the teams that need to know.
    

• Protection:

  • Beyond alerts, Arovy can take real-time actions on your behalf to stop attacks or process deviations.

• Investigation & Remediation:

  • Robust & contextual logs allow teams to quickly investigate & remediate incidents - reducing recovery times.
    
    

Overview

• Remove Single Points of Failure: Attacks exploit brief, human moments. Mistakes happen. Design controls that assume that reality.

• Monitor Connected Apps OAuth Usage and make reviews recurring.

• Treat Admin and “Use Any API Client” as high-risk and gate them.

• Assume a 3rd party app vendor’s breach can become your breach. Enforce least-privilege across connected apps.

• Document owners, purpose, and changes so you can act fast when something looks off.