Farmers Insurance has disclosed a substantial data breach affecting 1,111,386 customers after a third-party vendor’s database was accessed on May 29, 2025.
The insurer — a U.S. firm that covers auto, home, life, and business risks and serves over 10 million households through its agent network and subsidiaries — said the incident was detected the following day when a vendor alerted Farmers to suspicious activity.
The company says that the vendor’s monitoring tools blocked the unauthorized actor and that Farmers launched an immediate investigation and notified law enforcement.
Breach Discovery, Investigation, and Notification
Farmers published a data breach notification describing the incident and the steps taken after the vendor raised the alarm. “On May 30, 2025, one of Farmers’ third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor’s databases containing Farmers customer information (the ‘Incident’),” the notification reads.
The vendor reportedly had monitoring in place that allowed it to detect and contain the activity quickly. Farmers began sending breach notices to impacted individuals on August 22 and provided a sample notification to the Maine Attorney General’s Office detailing the scope.
Farmers did not name the vendor in its public notice. BleepingComputer reports that the data was taken as part of the widespread Salesforce data theft attacks that have affected many organizations this year. Farmers said it launched a comprehensive investigation to determine the nature and scope of the incident and that it notified appropriate law enforcement authorities as part of the response.
Scope and Types of Exposed Data
According to Farmers’ investigation, the compromised records included customer names, addresses, dates of birth, driver’s license numbers and/or the last four digits of Social Security numbers. The company’s advisory states those categories were among the fields accessed, and that the precise data varied by individual. Farmers emphasized in its notification that the third-party vendor had acted to block the actor and that the company was investigating whether additional data elements were affected.
The breach notice does not list account passwords, financial credentials, or payment card data as part of the exposed set. Still, the combination of PII elements such as driver’s license numbers and partial SSNs is significant for identity verification workflows and customer-facing processes.
Third-Party Vendor and Salesforce Connection
While Farmers withheld the vendor’s identity in its public advisory, multiple industry reports link the incident to the broader Salesforce intrusions. Since early 2025, threat actors tracked under clusters such as UNC6040 and UNC6240 have run social-engineering campaigns against Salesforce customers.
In those intrusions, operators use voice-based social engineering to persuade employees to connect a malicious OAuth application to their Salesforce instances. Once the app is authorized, attackers gain API access sufficient to download CRM data at scale.
Farmers’ disclosure aligns with that pattern: a vendor database containing Farmers customer information was accessed and data exfiltrated. The vendor’s monitoring reportedly detected the unusual activity, enabling containment, but not before customer records were copied.
How the Salesforce Data Theft Campaign Operates
Public reporting and industry analysis describe a consistent playbook used against multiple organizations. Attackers initiate vishing engagements that impersonate IT or support staff and then convince an employee to approve a connected app or otherwise authorize access. The malicious app acts as a bridge into the organization’s Salesforce environment, allowing automated extraction of contacts, records, and other CRM content.
The stolen CRM exports have been used in extortion emails demanding payment to prevent public release. That extortion layer has been associated with the ShinyHunters cybercrime group, which says its operations involve overlapping threat actors that handle different parts of the intrusion, from initial access to data dumping.
Claims, Collaboration, and the Role of ShinyHunters
ShinyHunters has publicly commented on its role in the attacks and, in conversations with reporters, described coordination with other groups. “Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same,” ShinyHunters told BleepingComputer. “They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake.”
These statements illustrate a model in which one set of operators focuses on social engineering and access, while other actors perform data extraction and distribution. The result is a multi-stage campaign that has hit a long list of organizations this year.
Farmers is among numerous firms reporting data theft tied to the Salesforce attacks. Other impacted organizations named in reporting include major technology, retail, airline and luxury brands, such as Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and LVMH subsidiaries including Louis Vuitton, Dior, and Tiffany & Co. The campaign’s breadth — across sectors that rely on CRM systems for customer records and support workflows — has amplified the operational impact for both enterprises and end customers.
What Farmers Insurance has Said Publicly
Farmers Insurance public advisory focuses on detection, containment and investigation conducted in coordination with the third-party vendor. The company said that vendor monitoring allowed rapid detection and that containment measures were applied to block the unauthorized actor.
The insurance provider also noted that it notified law enforcement and began notifying affected customers, providing breach letters and sample notices to state authorities as required. The company has not released a technical postmortem or named the vendor in its public statement.
The Farmers Insurance data breach underscores how social-engineering attacks against third-party providers and cloud CRMs can cascade into customer data exposures at scale.
Whether tracked as UNC6040, UNC6240, or linked to named groups such as ShinyHunters, the intrusions share a pattern: human manipulation to gain OAuth access to Salesforce, followed by automated extraction and, in some cases, extortional demands.
Farmers’ notification of 1,111,386 impacted individuals places the incident among the larger CRM-linked exposures reported this year and ties it to an industry-wide trend in which threat actors weaponize CRM access to harvest customer records.
