Your CRM walked out through the Bulk API
Nobody hacked Salesforce. A login and a connected app you approved exported your entire customer list in minutes. Here is the data-breach path most teams do not watch, and how to close it.
The platform was never breached. Your customer list still left, through a door you built on purpose.
What it is
Salesforce holds the crown jewels of the business: customer records, contacts, opportunities, and cases. A compromised user session, or an OAuth connected app with API access authorized through social engineering, can use the Bulk API or a data export tool to pull large volumes of records quickly. Because the API and connected apps are a normal part of Salesforce, a mass export blends in unless someone is watching for it. This is T1078 (valid accounts) with T1213 (data from information repositories) and T1567 (exfiltration over a web service).
Why it works
There is no exploit and no MFA prompt to fail. The system of record for your customers leaves through a valid, approved integration.
How to detect it
Watch for Bulk API jobs and mass record exports from a user or connected app that does not normally export, especially right after a new connected app with broad scopes was authorized. Salesforce event monitoring records the jobs, the objects, and the volume.
The fix that holds
Require admin approval for connected apps, and keep them scoped and IP-restricted. Least-privilege profiles and permission sets, limit Bulk API and export rights to the roles that need them, enable event monitoring, and use transaction security policies to block or alert on mass exports. Treat a bulk export as a customer-data breach, with the notification obligations that follow.
Practice it
We built a Salesforce bulk-export scenario in GraphLattice Range so teams learn to catch the export, revoke the app, and scope the exposure before the records are gone.