Brinztech Cyber News: Farmers Insurance Breach Hits 1.1M Customers in Widespread Salesforce Attacks

Key Takeaways

• US insurance giant Farmers Insurance has confirmed a data breach affecting 1,111,386 customers.
• The breach is part of the widespread ShinyHunters/Scattered Spider campaign that targets corporate Salesforce CRM instances.
• The attack occurred on May 29, 2025, when attackers gained access to customer information stored with a third-party vendor (Salesforce).
• Stolen data includes names, addresses, dates of birth, driver’s license numbers, and the last four digits of Social Security numbers.
• The attackers use social engineering and voice phishing to trick employees into authorizing a malicious OAuth application, which is then used to steal data.

Farmers Insurance Confirms 1.1 Million Customers Impacted

What Happened? Farmers Insurance, a major US-based insurer serving over 10 million households, has begun sending data breach notifications to more than 1.1 million customers. The incident stems from a cyberattack on May 29, 2025, where a threat actor gained unauthorized access to a database of Farmers’ customer information hosted by a third-party vendor. That vendor has since been identified as the cloud software giant, Salesforce.

What Data Was Stolen? According to the notification letters, the attackers stole a combination of highly sensitive Personally Identifiable Information (PII) that creates a significant risk of identity theft. The compromised data includes:

• Full Names
• Physical Addresses
• Dates of Birth
• Driver’s License Numbers
• Last four digits of Social Security Numbers

The “ShinyHunters” Campaign: A Massive Supply Chain Attack on Salesforce

This is not an isolated attack on Farmers Insurance. The incident is part of a massive, ongoing campaign by a sophisticated cybercrime syndicate involving groups like ShinyHunters and Scattered Spider. This same campaign has successfully breached numerous other global corporations this year, including Google, Cisco, Workday, Adidas, Louis Vuitton, and Dior.

The Attack Vector The threat actors are not exploiting a software vulnerability in Salesforce itself. Instead, the attack relies on a highly effective social engineering tactic:

1. Attackers use voice phishing (vishing) to call an employee of the target company, often impersonating the IT helpdesk.
2. They trick the employee into navigating to a phishing site and authorizing a malicious OAuth application to connect to their company’s Salesforce account.
3. Once authorized, this malicious app acts as a bridge, allowing the attackers to connect directly to the Salesforce instance and exfiltrate the entire database. The stolen data is then used to extort the company.

Key Cybersecurity Implications

• The ‘Third-Party App’ as a Supply Chain Weakness: This attack vector highlights a critical modern vulnerability. The compromise isn’t of the core cloud platform (Salesforce), but of the connection to it via a malicious third-party app. An organization’s security is now heavily dependent on its employees’ ability to vet and manage the dozens of applications they connect to their corporate accounts.
• The Human Element Remains the Primary Target: The entire attack chain is initiated by successfully tricking a single employee. This underscores that even in the most technologically advanced environments, the human element is often the weakest link. Continuous, targeted security awareness training that specifically covers social engineering and OAuth consent phishing is non-negotiable.
• A Goldmine for Identity Theft: The specific combination of data stolen—name, DOB, address, driver’s license number, and partial SSN—is a complete “kit” for committing identity theft. Criminals will use this data to open fraudulent accounts, file for credit, and commit other serious financial crimes.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. For general inquiries or to report this post, please email us: contact@brinztech.com