tl;dr Threat actors are targeting Salesforce instances to steal credentials, especially from Case objects (customer service data). Google’s Threat Intelligence Group recommends scanning your Salesforce instance with TruffleHog. To protect your org:

1. Export Salesforce objects (Case, Account, User, Opportunity).

2. Scan for exposed secrets with TruffleHog: 

   
   

trufflehog filesystem <path/to/objects.csv

In August, attackers breached a third-party Salesforce integration used by hundreds of organizations. They leveraged this connection to download large amounts of Salesforce data.

This was not a Salesforce breach. The compromise happened through the integration layer, a common attack vector that we published about late last year.

What Data Was Targeted

According to Palo Alto, the attackers exfiltrated four key Salesforce object types:

• Cases → Customer service requests; can contain plaintext credentials, code snippets, and API keys.

• Accounts → Companies or individuals your organization does business with.

• Opportunities → Potential deals or sales pipelines.

• Users → Internal Salesforce user records.

Cases are the highest risk. Cloudflare found 104 customer credentials in Case objects alone. Esker, Tenable, and Zscaler also noted that their Case object data was targeted.

Why are Secrets in Salesforce?

Secrets often land in CRMs through support interactions. 

A typical scenario involves a customer pasting debug logs or a configuration snippet into a Case to resolve an issue, inadvertently including a hardcoded API key or password. 

Multiply that across thousands of Cases, and you can see why attackers target Case objects.

A second vector is internal communication, where employees might share temporary credentials in a private Chatter post or a custom text field related to an Account.

Scanning Salesforce for Secrets

High-level Approach

1. Identify objects (and fields) that are likely to contain sensitive information.

2. Export object data.

3. Scan the data with TruffleHog: 

trufflehog filesystem <path/to/data.csv> --only-verified

Steps 1 and 2 require understanding how your organization uses Salesforce, such as which objects are actively in use and what customizations have been made. Custom fields like those on Case objects may hold sensitive information and should be carefully reviewed.

Scanning Salesforce Case Objects for Secrets

Case objects, which store customer support interactions, have been highlighted in recent attacks as a high-risk location for exposed secrets. Below, we document two methods for scanning built-in Case object fields.

Using the Bulk API 2.0

Threat actors have recently abused Salesforce’s Bulk API 2.0 to exfiltrate Case object data. The script below uses the same API to query Case object records and then scans the results with TruffleHog.

# 1. Download the salesforce cli tool: https://developer.salesforce.com/tools/salesforcecli

# 2. Login to the CLI via your web credentials, set the default org:
sf org login web --set-default

# 3. Create temp files to save the cases
CASES_TEMP_FILE=$(mktemp)

# 4. Register a trap to delete the temp file
trap 'rm -f "$CASES_TEMP_FILE"' EXIT

# 5. Get all case data into temp file
QUERY_CASES='SELECT Id, CaseNumber, Description, Subject, Owner.Name, ContactId, Contact.Name, Contact.Title, Contact.Description, AccountId, Account.Name, Account.Description FROM Case'
echo "[i] Bulk querying for Cases: $QUERY_CASES\n" >&2
sf data export bulk -r csv --wait 10 --output-file "$CASES_TEMP_FILE" --query "$QUERY_CASES" >/dev/null

# 6. Scan files using TruffleHog
echo "[i] Scanning cases..."
CASES_SECRETS=$(trufflehog filesystem "$CASES_TEMP_FILE" --no-update --json --only-verified 2>/dev/null)

# 7. Print the results
if [[ -n "$CASES_SECRETS" ]]; then
  printf "\033[0;32m[!] Secrets found in cases:\033[0m\n"
  echo "$CASES_SECRETS"
else
  printf "[!] No secrets found in cases."
fi

The script above is a simple PoC, but it will identify secrets in some built-in fields in the Case object. 

TruffleHog Enterprise Customers

We’ll use a similar approach to insert the Case data results into your TruffleHog Enterprise instance. TruffleHog Enterprise continuously monitors data sources (in this case, the temporary folder containing Salesforce case data) and automatically verifies whether any exposed credentials are still valid. It then links each credential to its owner and provides clear remediation steps for rotating or revoking the leaked credential.

1. Run the script below (a modified version of the one above).

   
   

# 1. Download the salesforce cli tool: https://developer.salesforce.com/tools/salesforcecli

# 2. Login with to the CLI via your web credentials, set the default org:
sf org login web --set-default

# 3. Create temp files to save the cases
TEMP_DIR=$(mktemp -d -t sfdc)
CASES_TEMP_FILE=$(mktemp "$TEMP_DIR/cases.csv")

# 4. Get all case data into temp file
sf data export bulk -r csv --wait 10 --output-file "$CASES_TEMP_FILE" --query "SELECT Id, CaseNumber, Description, Subject, Owner.Name, ContactId, Contact.Name, Contact.Title, Contact.Description, AccountId, Account.Name, Account.Description FROM Case" >/dev/null

# 5. Output the source config
echo "[i] Source config:
sources:
- connection:
    '@type': type.googleapis.com/sources.Filesystem
    paths:
    - $TEMP_DIR
  name: Filesystem
  scanPeriod: 12h
  type: SOURCE_TYPE_FILESYSTEM
  verify: true
" >&2

  # 6. Output the cases file path
echo "[i] Cases file path: $CASES_TEMP_FILE" >&2

You’ll see two outputs: Source config and Cases file path. 

2. Copy the Source config into your scanner configuration file and then run it.

./scanner scan --config=trufflehog-scanner-config.yaml --run-once

3. If TruffleHog found a secret, open the file referenced in the Cases file path output and search for the case corresponding to the secret.

4. After you rotate the exposed credentials, safely delete the Cases file path.

Using the GUI

If you don’t want to use the Bulk API 2.0 method, or don’t have permissions to, you can login into Salesforce’s GUI and download a Cases report.

1. Open “Report Builder” and create a new “Cases” report (located under the “Customer Service Report” category).

   
   

2. Add additional fields, including Subject, Case Comments, Description, etc. We selected these fields based on public reporting by Zscaler. At this stage, you should consider adding Account + Contact fields relevant to the cases, as well as your custom Case fields.

   
   

3. Run and Export your report into a csv.

   
   

4. Run TruffleHog against the csv export using the following command:

   
   

trufflehog filesystem <path/to/cases.csv

Optionally run with the --only-verified flag to view only live credentials.

5. Securely delete the exported data! This step is critical.

After this first scan, we recommend creating additional reports to access more Case object data (such as detailed email communications) and Account, User, and Opportunity object data targeted by threat actors. 

Conclusion

While scanning for secrets is the immediate priority, a robust defense requires further action:

• Audit Integrations: Review all third-party applications. Enforce the Principle of Least Privilege by downgrading permissions and OAuth scopes to the absolute minimum required.

• Prevent Exposure: Implement preventative controls, such as input filtering, to block credentials from being saved in the first place.

• Monitor Activity: Enhance API logging and monitoring to detect and alert on anomalous data exfiltration.