We often hear questions from clients like “Is Salesforce secure?” or “Do we really need MFA?” Salesforce has made meaningful improvements over the years and provides strong security capabilities when they are used correctly. That said, security is never guaranteed, and having Salesforce well configured is only part of the picture.
Risk often emerges around Salesforce, in the growing number of tools that connect to it. Chat platforms, sales tools, marketing automation, integration platforms, and now AI-driven workflows all rely on behind the scenes access to data. In a recent incident involving Salesloft and its Drift integration, bad actors were able to use stolen OAuth tokens from that connected app to gain access to customer Salesforce environments, bypassing normal login protections and using the legitimate access the integration had been granted to query data.
This is a useful example of how issues can arise outside the core platform, even when everything inside Salesforce appears to be locked down. It also shows why visibility and oversight across connected systems is becoming just as important as what happens inside Salesforce itself. As teams adopt more automation and experiment with AI across multiple tools, clear governance around identity and access helps ensure those connections behave as expected over time.
For organizations thinking about data protection, backups, or overall security posture, it is worth expanding the conversation beyond Salesforce alone and looking at the full ecosystem that surrounds it.
