Leading insurer Farmers Insurance has confirmed that a third-party data breach, apparently stemming from the ongoing Salesforce voice phishing campaign, has leaked the personal information of over 1.1 million people.
With over 10 million clients, 48,000 agents, and 21,000 employees, Farmers Insurance Group, which includes Farmers New World Life Insurance Company (Farmers Insurance), insures the lives, homes, vehicles, and small businesses of its customers.
According to a statement posted on its website, the insurance giant was notified on May 30, 2025, that unauthorized access to its third-party managed database had occurred on May 29, 2025.
Farmers said the impacted vendor responded promptly by initiating containment measures to restrict the threat actor’s activity and prevent further compromise.
“The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor,” Farmers said.
The insurance giant also independently launched an investigation with third-party cyber forensics to determine the scope of the incident and notified relevant authorities.
Farmers Insurance third-party data breach leaked personal information
On July 24, the results of the investigation determined that the third-party data breach leaked “a select population” of Farmers Insurance customers’ names, driver’s license numbers, dates of birth, addresses, and the last four digits of their Social Security Numbers.
“There was no evidence demonstrating that additional personal information was accessed,” the insurance company said.
According to a data breach notification filed with the Office of the Maine Attorney General, the digital intrusion affected 1,111,386 people.
Farmers Insurance also confirmed that it had notified impacted individuals on August 22 to help them take precautionary measures to avoid becoming victims of fraud. The insurance giant is also offering 24 months of free identity-monitoring services through CyberScout Monitoring to protect the victims further.
The insurance company also advised victims to remain vigilant for suspicious activity by monitoring their financial statements and credit reports and reporting any discrepancies.
Nevertheless, Farmers has no evidence that the stolen data was leaked online or misused. It also assessed that the third-party data breach did not compromise its internal IT systems and infrastructure.
However, the insurance giant has yet to disclose the vendor responsible for the third-party data breach or the identity of the threat actor.
Another Salesforce attack
Nonetheless, the third-party data breach bears the hallmarks of the Salesforce voice phishing attack by prolific data leaker UNC6040 or ShinyHunters, which has impacted over a dozen high-profile organizations, including Google, via a third-party managed CRM system.
“The Farmers Insurance breach is a classic example of modern supply chain risk,” said Kevin Marriott, Senior Manager of Cyber and Head of SecOps at Immersive. “Attackers increasingly go after smaller, third-party vendors, often through targeting CRM technologies, because they are often the path of least resistance into a larger organization. For many companies, security is only as strong as the weakest link in its digital supply chain, and that can mean hundreds of vendors with access to sensitive data.”
While American life assurance giant Aflac. withheld the identities of the affected vendor and the implicated threat actor, it was also impacted by the apparent Salesforce hacking campaign.
Other apparent victims of the ongoing Salesforce vishing campaign include Cisco, luxury giants Dior, Louis Vuitton, Tiffany & Co., Chanel, Adidas, and Pandora. The third-party data breach also impacted human resources management firms Workday and Manpower.
Apparently, the hacking campaign involves calling IT helpdesk staff and luring them into authorizing a rogue data export OAuth app on their Salesforce portal.
After gaining access, the attackers exfiltrate data and demand a ransom to avoid leaking the stolen information online. They also use the leaked data to advance the vishing campaign and target other organizations.
“A key takeaway is that the attack method isn’t technically sophisticated,” added Marriott. “Threat groups like ShinyHunters and Scattered Spider rely on social engineering and vishing to trick vendor employees into handing over their login credentials for SaaS platforms like Salesforce. Once inside, they can exfiltrate customer data not just from one business but potentially from all of that vendor’s clients at once.”
ShinyHunters has been widely attributed to the ongoing compromise of managed databases and customer relationship management (CRM) systems. The threat group was also widely attributed to the Snowflake supply chain hack, which impacted numerous organizations.
