Farmers Insurance Data Breach Exposes 1.1M After Salesforce Hack
▼ Summary
– Farmers Insurance suffered a data breach impacting 1.1 million customers through a third-party vendor’s compromised database on May 29, 2025.
– The breach exposed customers’ names, addresses, dates of birth, driver’s license numbers, and/or last four digits of Social Security numbers.
– The incident is linked to widespread Salesforce data theft attacks involving social engineering and malicious OAuth app tactics by threat actors.
– The cybercrime group ShinyHunters is behind the extortion demands, claiming collaboration with other threat groups for initial access and data exfiltration.
– Other major companies affected by similar Salesforce attacks include Google, Cisco, Adidas, and subsidiaries of LVMH.
A significant data breach at Farmers Insurance has compromised the personal information of over 1.1 million customers, stemming from a third-party vendor incident earlier this year. The insurer confirmed unauthorized access to a database containing sensitive customer data, including names, addresses, dates of birth, driver’s license numbers, and partial Social Security details. This incident underscores the persistent risks associated with third-party service providers in the insurance and financial sectors.
Farmers Insurance, one of the largest providers of auto, home, life, and business coverage in the United States, serves more than 10 million households through an extensive network of agents. The breach occurred on May 29, 2025, when an unauthorized actor infiltrated a vendor’s system housing customer records. The vendor’s monitoring tools detected the suspicious activity the following day, prompting immediate containment measures and notification to Farmers.
Upon learning of the intrusion, Farmers launched a comprehensive investigation and alerted law enforcement. The company stated that the vendor acted swiftly to block further unauthorized access. Impacted individuals began receiving breach notifications on August 22, with official filings confirming the exposure of data belonging to 1,111,386 customers.
Although Farmers did not publicly identify the vendor involved, sources indicate the incident is linked to a broader campaign targeting Salesforce customers. Throughout this year, threat actors known as UNC6040 or UNC6240 have used social engineering tactics, including voice phishing, to deceive employees into authorizing malicious OAuth applications. Once connected, these apps enabled attackers to exfiltrate entire databases.
The ShinyHunters cybercrime group has claimed responsibility for the extortion efforts following these breaches. In communications, they revealed coordination with other threat actors, including Scattered Spider, who provide initial access to Salesforce systems. This collaborative model mirrors earlier attacks on companies like Snowflake and has affected major organizations including Google, Cisco, Adidas, and luxury brands under LVMH such as Louis Vuitton and Dior.
Farmers has not commented on whether extortion attempts followed the breach. The company is advising affected customers to monitor their accounts and consider identity protection services. This event highlights the critical importance of robust third-party risk management and multi-factor authentication in preventing similar incidents.
(Source: Bleeping Computer)
