Introduction
As a Salesforce administrator or leader in your organization, staying ahead of changes and threats is crucial. Starting early September 2025, Salesforce will enforce a new Connected App Usage Restriction, blocking access to uninstalled connected apps. Understanding this change and learning from recent high-profile incidents—like the Data Loader breach—can help you safeguard your org proactively.
Change in Policy: Connected App Usage Restriction
- What’s changing: Salesforce will no longer allow uninstalled connected apps to be accessed unless:
- The user had previously authorised the app, and
- The app does not use the OAuth 2.0 device flow.
- Immediate impact: New users will be blocked from using any uninstalled connected apps. Apps that rely on the OAuth 2.0 device flow will be blocked, even if previously authorised by users. Only apps installed before the change continue to function.
Protect Your Salesforce Environment from Social Engineering Threats - Admin bypass permissions: Only trusted users with one of two permissions may still access uninstalled apps:These permissions should be limited to admins or developers managing integrations.
Shutting the Door on Vishing-Driven Data Theft in Salesforce- Approve Uninstalled Connected Apps (new in Summer ’25),
- Use Any API Client (if API Access Control is enabled).
- Actions to take now:
- Audit uninstalled apps via Connected Apps OAuth Usage in Salesforce Setup.
- Install trusted apps before the restriction kicks in.
- Block untrusted apps to eliminate risk.
- Apply least-privilege principles for high-level permissions.
- Protect Your Salesforce Environment from Social Engineering Threats
Google’s Salesforce breach exposed customer contact data
Hackers abuse modified Salesforce app to steal data, extort companies, Google says
Why the Salesforce Data Loader Breach Is Still a Risk for Admins
Timeline: Salesforce Data Loader Breach (UNC6040 / ShinyHunters)
Here’s an overview of critical event milestones from the recent Data Loader breach — a significant security incident impacting multiple enterprises:
| Date | Event |
|---|---|
| June 2025 | Google Threat Intelligence Group (GTIG) uncovers a social-engineering campaign by UNC6040, aka ShinyHunters, where voice phishing (vishing) coaxed employees into authorizing a malicious connected app, masquerading as Salesforce Data Loader. Once installed, attackers exfiltrated data via OAuth abuse. Salesforce App Hijacked by Hackers: Google Reveals Data Exfiltration Exploit |
| June 2025 | Attackers gain access to Google’s Salesforce instance, retrieving approximately 2.55 million records — mostly business contact information. Attack was detected and access was revoked swiftly. Google’s Salesforce breach exposed customer contact data |
| July–August 2025 | Additional victims emerge: Allianz Life, LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Chanel, Coca-Cola, Qantas, Pandora, and others experienced similar breaches via malicious connected apps. Data exposed included contact details, purchase history, policyholder info, and other sensitive records. Salesforce-Related Data Breach Affecting Multiple Companies Salesforce Data Breach 2025 Salesforce attacks in 2025: Why cyber criminals are targeting Salesforce How Google, Adidas, and more were breached in a Salesforce scam |
| Ongoing | These attacks reinforce the need for defense-in-depth strategies, including IP restrictions, permission minimisation, Salesforce Shield monitoring, and mandatory admin approval for connected app access. The Cost of a Call: From Voice Phishing to Data Extortion Protect Your Salesforce Environment from Social Engineering Threats Shutting the Door on Vishing-Driven Data Theft in Salesforce Salesforce attacks in 2025: Why cyber criminals are targeting Salesforce |
Core Takeaways for Your Org
- Human-targeted attacks win – The breach wasn’t due to platform flaws, but rather deception via voice phishing.
Hackers abuse modified Salesforce app to steal data, extort companies, Google says - OAuth access is potent – Once granted, malicious connected apps bypass MFA and access enterprise data via authenticated APIs with elevated privileges.
How Threat Actors Used Salesforce Data Loader for Covert API Exfiltration - Least privilege matters – Limit permissions like “API Enabled”, “Customize Application”, and connected app access to the smallest necessary group.
The Cost of a Call: From Voice Phishing to Data Extortion - IP and policy enforcement help – IP restrictions and Salesforce Shield’s transaction monitoring can stop or flag exfiltration early.
Shutting the Door on Vishing-Driven Data Theft in Salesforce - Train, review, repeat – Regular security training and periodic audits of connected apps and permissions are essential.
Recommended Next Steps
- Blog Summary or Internal Newsletter Title:
“Salesforce Security Update: New Connected App Restrictions & Protecting Against Data Loader Breach Tactics” - Key Client Action Items:
- Audit: Review all connected apps (installed or otherwise).
- Install or Block: Pre-install trusted apps; promptly block unknown or unused ones.
- Lock Down Permissions: Only permit permissions like “Approve Uninstalled Connected Apps” or “Use Any API Client” to a few trusted admins.
- Enable API Access Control: Disable unsanctioned apps during handshake.
The Cost of a Call: From Voice Phishing to Data Extortion
Shutting the Door on Vishing-Driven Data Theft in Salesforce - Enforce IP/Access Policies: Restrict access to known corporate IPs or VPN ranges.
- Deploy Monitoring: Use Salesforce Shield or similar to detect unusual API activity.
- Train Staff: Run phishing simulations and educate users to spot vishing scams.
- Review Regularly: Quarterly connected app and permissions assessments.
Conclusion
The upcoming Connected App Usage Restriction (effective early September 2025) is a proactive measure to safeguard orgs—but it also needs your action to prevent disruption. Coupling that with lessons from the Data Loader breach by UNC6040 highlights how social engineering and OAuth abuse remain key threats.
By audit, restriction, monitoring, and user education, your clients can navigate the change confidently and secure their Salesforce environments against evolving threats.
If you need support preparing for Salesforce’s Connected App Usage Restriction or strengthening your org’s defenses ? Contact Sweet Potato Tec’s Salesforce experts today.



