Farmers Insurance breach: what actually happened and what to do next

Farmers Insurance (policyholder-owned Exchanges, managed by Farmers Group, Inc., part of Zurich). Large U.S. P&C insurer serving millions of households; tens of thousands of employees and ~48k agents across the U.S.

What happened ~ Farmers disclosed a data breach impacting ~1.1M people, linked publicly to the broader 2025 Salesforce-targeting campaign. Breach notices and coverage indicate the attacker accessed a third-party vendor-hosted database containing Farmers customer data in late May 2025.

How ~ This wave is not a Salesforce zero-day. It’s vishing + malicious OAuth: attackers impersonate IT, trick staff into authorizing a fake/modified Salesforce Data Loader (a “Connected App”), then use OAuth/API access to bulk export CRM data. Google Threat Intelligence Group (the team that now includes Mandiant) attributes major activity to UNC6040; follow-on extortion has been linked to related clusters (often branded “ShinyHunters”).

Regulatory breadcrumbs 

State AG portals: California AG shows Farmers Insurance Exchange / Farmers Group, Inc. and Farmers New World Life entries with incident date 05/29/2025 and notice 08/22/2025. Maine AG also lists Farmers.
Public-company comparables (8-K): While Farmers isn’t U.S.-listed, similar insurers have disclosed Salesforce linked or contemporaneous cyber events via Form 8-K, e.g., Aflac filed on June 20, 2025. Useful benchmark for materiality/disclosure playbooks.

The broader spree 

Allianz Life (~1.1M accounts) and other brands reported losses through the same OAuth/Data Loader playbook; multiple outlets detail the same pattern and threat-actor branding.
Salesloft/Drift angle: separate but related reports show attackers stealing OAuth/refresh tokens from third-party integrations to pivot into customers’ Salesforce orgs and exfiltrate data. (Good reminder to audit every connected app, not just Salesforce-native ones.) 

Impact (what data, why it matters) For Farmers, reporting and notices indicate exposure of names, addresses, dates of birth, driver’s license numbers, and last four of SSNs. The classic identity-theft cocktail. Expect phishing and account-takeover waves that reuse this PII.

Threat intel to watch (Mandiant/GTIG)

TTPs: Voice phishing → fake Data Loader → Connected App grant → Bulk API/ReportExport spikes → data exfil → extortion emails.
Attribution: GTIG tracks initial access as UNC6040; extortion activity sometimes tracked distinctly (e.g., UNC6240), with “ShinyHunters” branding observed across cases.

 
What security leaders should do this week
1) Lock down OAuth & Connected Apps

Restrict who can consent to new apps; use allow-lists and least-privilege scopes; shorten token lifetimes.
Turn on alerts for new app grants and scope escalations; require step-up MFA for any consent change.

2) Detect bulk exfil early

Ingest Salesforce Shield Event Monitoring into your SIEM; alert on Bulk API jobs, ReportExport spikes, Data Loader user agents, off-hours/foreign ASN activity; automate revoke-token / block-app / freeze-user.

3) Review third-party integrations

Inventory and monitor Salesforce-to-SaaS connections (e.g., chatbots, AI agents). Re-issue credentials; rotate secrets; validate vendor token handling. The Salesloft/Drift case shows how stolen tokens can become your incident. 

4) Harden the help desk

Vishing is the front door. Script high-assurance callbacks and out-of-band verification before any app consent or SSO change.

5) Paper the disclosure path

Prep state AG templates and (if public) your 8-K workflow now; you won’t have time to build it mid-incident. 

Minimal viable stack beyond native controls
Deploy an SSPM Reco AppOmni Obsidian Security for OAuth inventory + auto-revocation.
Add CASB (API-mode) for Salesforce + SaaS DLP rules on PII fields. Palo Alto Networks , Netskope Zscaler Cisco 
Stream logs to SIEM with SOAR playbooks (revoke/block/freeze), and protect with OwnBackup/Odaseva.

Takeaway
This is a CRM-layer attack powered by human manipulation and OAuth misuse, not a platform zero-day. Treat your CRM like critical infrastructure: govern consents, watch the APIs, drill the help desk, and automate kill-switches.