You may have seen the news this week about a malicious version of the Salesforce Data Loader app being used in a targeted phishing campaign. Attackers, identified by Google’s Threat Intelligence Group, tricked employees into installing a fake app that looked like the real thing. Once connected, the app allowed hackers to pull sensitive Salesforce data out of company environments.
The good news: this wasn’t a Salesforce vulnerability. Instead, it was a reminder of how far social engineering tactics have come, and why admins and end users need to stay vigilant.
What’s Gone Wrong: OAuth-Based Breaches
In recent months, organizations using Salesforce have been hit hard – not due to vulnerability in Salesforce itself, but through misuse of trusted OAuth-connected third-party apps. Administrators must now adopt stricter security controls, including the savvy use of IP restrictions.
Salesloft Drift OAuth Exploits
- Between August 8–18, 2025, threat actor UNC6395 exploited stolen OAuth tokens from Salesloft’s Drift integration to extract data – including AWS access keys, passwords, and Snowflake tokens – from hundreds of Salesforce instances.
- Major organizations like Zscaler have confirmed breaches via the same vector. Attackers accessed contact info, job titles, licensing data, and support case content, though no misuse has been confirmed – Zscaler has revoked tokens and rotated credentials.
Broader Social Engineering Attacks
- Beyond Drift, groups like ShinyHunters (also referred to as UNC6040 or UNC6240) have targeted Salesforce via voice phishing (vishing) and malicious tools like spoofed Data Loader apps to trick users into granting access.
- These breaches span sectors – including aviation, retail, luxury, and insurance, affecting brands like Chanel, Louis Vuitton, Google, Adidas, and Farmers Insurance.
Risks Highlighted:
- Connected app vulnerabilities are a blind spot.
- OAuth tokens, once compromised, grant deep access.
- Social engineering remains a top threat vector.
Strengthening Security: IP-Based Restrictions + Best Practices
Why IP Restrictions Matter
Salesforce supports Login IP Ranges and Trusted IPs to control where users and connected apps can authenticate from:
- Enabling these can block or flag unauthorized access attempts outside approved networks.
- Profile-level IP restrictions can even block logins entirely from outside specified addresses.
When you configure IP restrictions for connected apps:
- Only traffic coming from known, trusted IPs will be accepted.
- Even if an OAuth token is stolen, an attacker outside the trusted IP range will be blocked.
- You gain tighter control and clearer visibility over integrations.
This approach aligns perfectly with Zero Trust principles: “Never trust, always verify.”
How to Set Up IP Ranges
For Org-wide Trust:
- In Setup, search for “Network Access”
- Click New to define a start and end IPv4 range (or single address).
- Optionally add a description (good for documentation!) and save.
For Profile-specific Restrictions:
- Go to Profiles → choose a profile → navigate to Login IP Ranges
- Add desired IPv4 (and/or IPv6) ranges.
- Salesforce will block all login attempts outside this range – for non-admins especially.
Securing Datagroomr with IP Restrictions
If your organization uses Datagroomr for Salesforce data quality and verification and is looking to explicitly whitelist their IP addresses in Salesforce.
Current Datagroomr IPs to allow:
52.14.107.230
18.220.63.130
These are the current Datagroomr IPs as of September, 2025. Please reach out to support if you require the most up-to-date ranges or if your compliance policies require confirmation.
Additional Best Practices
Beyond IP whitelisting, Salesforce admins should:
- Audit connected apps regularly: Remove unused or suspicious apps.
- Restrict OAuth scopes: Grant only the minimum permissions needed.
- Enable event monitoring: Track unusual login or API activity.
- Train staff: Watch for phishing, vishing, and fake app prompts
How DataGroomr Keeps You Secure
As a reminder, rest assured that DataGroomr takes security seriously.
🔒 Verified AppExchange Listing
DataGroomr has passed Salesforce’s rigorous security review and is SOC2 Type II certified. We never ask customers to download apps from external sites or sideload software.
🌐 Dedicated IPs
All DataGroomr services run on trusted, dedicated IP ranges. This makes it easier for admins to whitelist our traffic and block unknown connections.
⚖️ Scoped Permissions
We follow Salesforce’s “least privilege” model, only requesting the access needed to perform deduplication, imports, or updates. Nothing more.
🔑 Secure Authentication
Connections to DataGroomr happen through Salesforce-approved OAuth flows. Admins can also layer on IP restrictions and MFA policies to strengthen protections.
Conclusion
The recent wave of Salesforce-related breaches underscores the importance of defending every integration point. Connected apps like Datagroomr deliver critical value, but they must be secured.
By enforcing IP restrictions, you greatly reduce the attack surface and move closer to a Zero Trust Salesforce environment.
Next step: Review all connected apps in your org and apply IP restrictions today. It’s one of the simplest, most effective protections against modern threats.
