ABC News Australia, a national broadcaster, recently revealed a large-scale malware operation that stole credentials from employees and customers of several top-tier Australian banks.
While this breach did not involve Salesforce directly, the methods used should raise red flags for any organization relying on cloud-based platforms like it. Credential theft and session hijacking—whether targeting banking portals, CRM systems, or collaboration tools—are part of a broader trend in cybercrime that exploits the weakest link: end users.
If Salesforce is your organization’s central hub for customer interactions, service, or internal operations, this kind of attack offers a clear warning. It’s not about whether your platform was the entry point—it’s about how easily attackers can pivot into cloud environments using valid credentials.
What the credential theft malware attack revealed
The malware campaign, believed to be operated out of Eastern Europe, compromised over 60,000 devices in Australia, including thousands of employee and customer endpoints linked to major financial institutions.
Key facts:
- Malware captured login credentials, cookies, and session tokens.
- At least 250 employee devices from major banks were affected.
- Customer banking credentials and multi-factor authentication bypass data were harvested.
- The stolen information was sold on dark web marketplaces, ready to be used for account takeovers, phishing campaigns, and lateral movement into connected platforms.
Why Salesforce security is at risk from credential theft
Even though this wasn’t explicitly a Salesforce-linked attack, and if your organization wasn’t directly impacted, there are some key lessons here for those responsible for securing Salesforce environments:
Your users are the new attack surface.
This campaign didn’t exploit system vulnerabilities—it targeted individual users. When attackers obtain valid login details, especially those that can bypass security checks, they can gain access to cloud platforms like Salesforce with little resistance. This breach involving stolen Jira credentials shows just how easily attackers can pivot into connected platforms like Salesforce using legitimate access.
Credential dumps enable targeted phishing and impersonation.
Once user data is exposed, attackers often move quickly—crafting convincing messages, impersonating employees, and targeting systems that trust those identities.
Think it couldn’t happen in Salesforce? think again
Salesforce is one of the most trusted enterprise platforms in the world; however, like any cloud service, it operates on a shared responsibility model. Salesforce secures the infrastructure, while you are responsible for your data, users, and access controls.
- Malware on an endpoint device, such as on a user’s laptop, can still compromise Salesforce session tokens or browser credentials.
- API integrations and third-party apps can be exploited if access controls are too permissive.
- Threats such as phishing links and harmful file uploads can still bypass native protections, particularly in tools like Salesforce Experience, Service Cloud, or Email-to-Case, Web-tO-case, real-time Agentforce conversations, and messaging solutions connected to Salesforce.
How to strengthen Salesforce security against credential-based attacks
This incident is a wake-up call for organizations relying on Salesforce. Fortunately, you can take practical steps now to reduce your exposure.
Harden access and session controls
- Watch for unusual login patterns—even those from recognised users.
- Apply the principle of least privilege to user roles and access.
Inspect what your users upload or click
- Malicious attachments and phishing links can be injected into Salesforce records.
- Native platform defenses don’t always catch modern threats – use advanced scanning tools that analyze content in real time.
Protect beyond the login screen
- Threat actors don’t need to “break in” when they can walk in with valid credentials.
- Invest in behavior-based threat detection to spot suspicious activity inside the platform.
- Identity Protection tools will help you quickly identify users with stolen credentials and take action.
Why endpoint security isn’t enough for Salesforce protection
As this breach shows, once an attacker has valid credentials or hijacks a session, traditional defences often fall short, especially when malicious content is introduced after login, via uploads, links, or third-party integrations.
To reduce risk within Salesforce, security controls must extend beyond the perimeter. They need to work inside the platform—scanning for threats, detecting unusual activity, and protecting the areas where attackers are most likely to strike.
Importantly, these protections must function within the Salesforce environment, not merely at the perimeter or endpoint. Many security strategies overlook this gap, where risk quietly accumulates.
Malware doesn’t stop at endpoints – and neither should your security. When attackers access credentials and session data, any cloud service in your stack, including Salesforce, becomes a target. The recent breach should be a stark reminder: you can’t afford to treat Salesforce security as an afterthought.
This latest breach is a reminder: the threat is already in motion. The question is—how prepared are you?