Yes, multiple class action lawsuits have been filed against major corporations following confirmed data breaches involving their Salesforce customer relationship management (CRM) systems in 2025. These breaches—affecting major brands including Google, Louis Vuitton, TransUnion, Farmers Insurance, and Workday—exposed sensitive customer data including names, dates of birth, and Social Security numbers through coordinated social engineering attacks.
The litigation has grown to encompass over 70 cases consolidated into a federal multidistrict litigation (MDL) in December 2025, representing one of the most significant Salesforce-related legal actions in recent years. The breaches themselves were not caused by technical vulnerabilities in Salesforce software but rather by attackers using vishing (voice phishing) and help desk impersonation to gain unauthorized access to customer accounts. This distinction matters legally because companies like Louis Vuitton are being sued not just for being breached, but allegedly for failing to implement recommended security measures that Salesforce itself publicized in a March 12, 2025 security advisory warning customers about these exact types of social engineering threats.
Table of Contents
- How Widespread Were the Salesforce Data Breaches Affecting Companies in 2025?
- Which Companies Have Filed or Been Named in Salesforce Data Breach Class Actions?
- What Types of Personal Data Were Exposed in These Breaches?
- What Was the Attack Method, and Could These Breaches Have Been Prevented?
- How Has the Litigation Been Consolidated and What Is Its Current Status?
- What Do the Lawsuits Allege About Company Negligence?
- What Does This Mean for Future Salesforce Customer Security and Litigation Trends?
- Conclusion
How Widespread Were the Salesforce Data Breaches Affecting Companies in 2025?
The 2025 Salesforce breach wave affected a significant portion of the customer base, with approximately 40 Salesforce customers confirmed compromised through social engineering attacks, though security researchers estimate the total exposure could affect 300-400 companies across multiple attack waves. The individual customer record exposures were staggering: Google disclosed in June 2025 that its Salesforce instance was breached, resulting in the theft of over 2.5 million customer records from its database.
In what may be the largest incident connected to Salesforce vulnerabilities, Workday confirmed in August 2025 that a breach affected up to 11,000 corporate customers and exposed 70 million individual user records, demonstrating how one compromised business system can cascade across an entire ecosystem of dependent organizations. These numbers place the Salesforce breach wave among the largest data exposures in recent corporate history, comparable in scale to major healthcare and financial services breaches. The fact that Google—a company with extensive cybersecurity resources—suffered such a massive loss of customer data underscores how effective the attackers’ social engineering tactics were regardless of an organization’s size or security maturity.
Which Companies Have Filed or Been Named in Salesforce Data Breach Class Actions?
The litigation landscape includes a diverse roster of corporate defendants and affected parties. Major companies specifically identified in lawsuits include TransUnion (the credit reporting agency), luxury brands Louis Vuitton and Christian Dior, insurance companies Farmers Insurance and Allianz Life Insurance, jewelry retailer Pandora, and the business software company Workday. TransUnion’s litigation has been particularly expansive, with the company facing 50+ separate lawsuits across five different federal district courts, indicating how widely customers felt harmed by the breach and subsequent handling of the incident.
A critical limitation of the current litigation is that it focuses on companies’ failures to implement security controls rather than on Salesforce itself as a primary defendant. This means that while Salesforce published its warning on March 12, 2025, the legal liability appears directed at customer organizations that allegedly ignored those warnings. Companies like Louis Vuitton are facing a 48-page complaint alleging the company failed to implement the five proactive preventive measures that Salesforce specifically recommended in that security advisory.
What Types of Personal Data Were Exposed in These Breaches?
The data compromised in the Salesforce breaches included the most sensitive categories of personally identifiable information: names, dates of birth, and Social Security numbers. This combination of data points is particularly dangerous because it contains exactly the information needed to commit identity theft and financial fraud.
Attackers gaining access to both an individual’s Social Security number and date of birth can apply for credit accounts, take out loans, or file fraudulent tax returns in the victim’s name. The exposure of this data through trusted business systems—CRM platforms where companies had legitimate reasons to store customer information—created a unique liability problem for the affected companies. Customers reasonably expected that personal data provided to major corporations would be protected by adequate security controls, making the companies’ alleged failure to implement recommended security measures a point of significant legal exposure.
What Was the Attack Method, and Could These Breaches Have Been Prevented?
The breaches were executed through social engineering rather than technical exploits—specifically using vishing (voice phishing) and help desk impersonation tactics attributed to threat actors UNC6040 (also known as ShinyHunters) and Scattered Spider (UNC3944), with confirmed activity dating back to June and July 2025. The attackers called company employees impersonating Salesforce help desk staff or other trusted IT personnel, requesting login credentials or access tokens. Once they obtained valid credentials, they could log into Salesforce as legitimate users without triggering any security alarms.
This attack vector creates a tradeoff in security strategy: technical controls like firewalls and intrusion detection systems are ineffective against social engineering because the attacker is using legitimate credentials and following normal authentication paths. This is why Salesforce’s March 12, 2025 advisory specifically recommended multi-factor authentication (MFA), network access restrictions, and Salesforce Shield security tools—controls designed to prevent attackers from causing damage even if they obtain valid credentials. The Louis Vuitton lawsuit argues that the company failed to implement these recommended measures after being warned, making the breach “highly preventable” according to the complaint.
How Has the Litigation Been Consolidated and What Is Its Current Status?
The fragmented litigation was consolidated into a single multidistrict litigation (MDL) on December 16, 2025, designated as MDL No. 3170 under the formal case name “In re Trans Union, LLC, Customer Data Security Breach Litigation” and assigned to the U.S. District Court for the Northern District of Illinois.
This consolidation was necessary because separate lawsuits were filed in multiple jurisdictions—14 cases alone were filed in September 2025 in the Northern District of California—creating a risk of conflicting rulings and duplicative discovery if allowed to proceed separately. A key limitation of MDL consolidation is that it centralizes pretrial proceedings but does not automatically settle all claims. The defendants face substantial liability exposure with over 70 cases consolidated, though the actual damages and settlement ranges remain uncertain and will depend on how courts interpret corporate security obligations. The fact that the MDL is specifically focused on TransUnion suggests that the credit reporting company may face particular exposure given its role in handling sensitive consumer financial data—an inherently high-risk business requiring elevated security standards.
What Do the Lawsuits Allege About Company Negligence?
The legal complaints allege that companies like Louis Vuitton failed to implement commercially reasonable security practices despite being explicitly warned by Salesforce about the threat landscape. The 48-page Louis Vuitton complaint details how Salesforce’s March 12, 2025 advisory outlined specific, actionable preventive measures—multi-factor authentication, network access controls, and Salesforce Shield tools—that Louis Vuitton allegedly failed to deploy or inadequately deployed.
This creates a liability theory based not on Salesforce’s failure to protect its own platform, but on customer companies’ negligence in ignoring a specific, timely warning from their vendor. The complaints represent an escalation in how courts may view data breach liability in the SaaS (software-as-a-service) era. Rather than companies claiming they are blameless victims of sophisticated attackers, plaintiffs’ attorneys are arguing that companies with access to vendor security guidance have an affirmative duty to implement that guidance, particularly when the breach method is social engineering rather than a zero-day technical exploit.
What Does This Mean for Future Salesforce Customer Security and Litigation Trends?
The Salesforce breach litigation will likely influence how courts treat vendor security guidance going forward. Future cases may establish that when a major enterprise software vendor warns customers about a specific threat and provides detailed remediation steps, those customers face significant legal liability if they ignore that guidance and subsequently suffer breaches using the warned-about attack method.
This may accelerate adoption of security controls like MFA, which are increasingly viewed as non-negotiable rather than optional enhancements. The scale of the litigation—70+ cases consolidated into a federal MDL—signals that data breaches through business process compromise are becoming a major litigation category. Unlike technical vulnerabilities that affect all customers equally, social engineering exploits create different risk profiles for different companies based on security implementation, making class action certification more difficult but also creating stronger individual liability for companies that fail to implement standard protections.
Conclusion
The Salesforce data breach litigation of 2025 represents a significant shift in how courts may evaluate corporate security negligence. Rather than targeting Salesforce itself, the lawsuits focus on companies that allegedly failed to implement security recommendations from Salesforce after being explicitly warned about social engineering threats, resulting in the exposure of sensitive customer data including Social Security numbers and dates of birth. With over 70 cases consolidated into federal MDL No.
3170, the litigation affects major corporations including Louis Vuitton, TransUnion, Farmers Insurance, and Workday. If you were a customer of any of these companies and your personal information was exposed in a Salesforce breach, you may be eligible to participate in these class actions. You should monitor updates from the federal court handling MDL No. 3170 in the Northern District of Illinois or consult with an attorney specializing in data breach litigation to understand your options and potential recovery, as settlement timelines and claim procedures have not yet been finalized.