Farmers Insurance data breach exposes 1.1 million customers in Salesforce attack

The insurer confirmed that attackers accessed sensitive customer data—including names, addresses, birth dates, driver’s license details, and partial Social Security numbers—affecting 1,111,386 individuals, with official breach notifications beginning on August 22, according to filings with the Maine Attorney General’s Office

U.S.-based insurer Farmers Insurance has confirmed that personal information of more than 1.1 million customers was exposed following a data breach linked to ongoing Salesforce-related cyberattacks. The company disclosed the incident in a notice posted on its website.

According to the advisory, suspicious activity was first detected on May 29, 2025, at a database managed by one of Farmers’ third-party vendors. The following day, the vendor alerted the company that an unauthorized actor had gained access to customer data. Monitoring tools reportedly helped identify the intrusion quickly and block the malicious activity, while Farmers launched an investigation and notified law enforcement.

The insurer confirmed that sensitive customer details—including names, addresses, dates of birth, driver’s license numbers, and in some cases, the last four digits of Social Security numbers—were accessed by the attackers. Farmers began sending official notifications to impacted customers on August 22, with filings to the Maine Attorney General’s Office indicating that 1,111,386 individuals were affected.

Tied to Salesforce data theft campaigns

While Farmers did not name the vendor involved, cybersecurity researchers reportedly said that the incident is part of the widespread Salesforce breaches attributed to threat actors operating under the designations UNC6040 and UNC6240.

These attackers have been using sophisticated social engineering techniques, including voice phishing calls, to convince employees to authorize malicious OAuth applications connected to Salesforce environments. Once access is secured, databases are downloaded and later exploited for extortion attempts.

The notorious ShinyHunters group has claimed responsibility for coordinating parts of the campaign, alleging collaboration with other cybercriminal collectives such as Scattered Spider. The tactics mirror those used in recent breaches involving Snowflake databases.

Growing list of victims

Farmers Insurance now joins a long list of major organizations compromised in these Salesforce-linked attacks. Other affected companies include Google, Cisco, Adidas, Workday, Qantas, Allianz Life, and luxury brands under LVMH such as Louis Vuitton, Dior, and Tiffany & Co.

The incident underscores the rising risks associated with third-party platforms and highlights how coordinated threat groups are exploiting trusted cloud ecosystems to compromise sensitive customer data at scale.