• EN EN EN en
  • NL NL NL nl
  • EN
  • NL
  • Support

Our Industries

  • Manufacturing
  • Technology
  • Food & Retail
  • Automotive
  • Logistics
  • Non-Profit

Our Services

  • Salesforce Consultancy
  • Salesforce Implementation
  • Salesforce Development

Our Solutions

  • Sales Cloud
  • Service Cloud
  • Marketing Cloud
  • Agentforce
  • Data Cloud
  • MuleSoft
  • Configure Price Quote
  • Manufacturing Cloud
  • Field Service
  • Experience Cloud
  • Customer Stories
  • News and Blogs
  • Jobs
  • About us
  • Contact
Welisa | Salesforce Partner - We Build Smart Organizations
  • Industries
  • Expertise
  • Solutions
  • About Welisa
  • Contact
  • Menu
BLOG

How Do I Know If My Organization Has Been the Victim of a Hack?

With the upcoming security update for ‘Connected Apps’, Salesforce is taking an important step to counter social engineering. In our main article, we explained which actions you need to take now to prepare for this.

Still, you might be wondering: “Have we already been vulnerable in the past?” In this guide, we’ll take away that uncertainty. Here, we’ll show you exactly how you can check if your organization has been the victim of a hack.

Here is a step-by-step plan, from the most direct to more general investigative methods:

1. Direct Check: Auditing 'Connected Apps' (Most Important)

This is the most direct way to investigate this specific vulnerability. An attacker leaves the clearest tracks here.

  • Go to: Setup > Connected Apps OAuth Usage.
  • What to look for:
    • Unknown or suspicious apps: Look for apps you don’t recognize, especially those with generic names like “Salesforce API Access,” “Data Loader V3,” or other tools not officially implemented by your organization. A malicious app will often masquerade as a legitimate tool.
    • Unexpected “User Count”: Click on the number of users (User Count) for each suspicious app. Is a user who normally doesn’t export data (e.g., a marketing employee) suddenly authorizing an unknown ‘data tool’? That’s a red flag.
    • Check the authorization date: When did the user first grant access to the app?
    • Block immediately: Any app you don’t 100% trust can be blocked instantly from this page (Block) to prevent further access.

2. Analysis of Login History

If an attacker gains access via an app, it is often logged as a normal login.

  • Go to: Setup > Login History.
  • What to look for:
    • Location and IP Address: Are there user logins from unusual countries or IP addresses?
    • Application: The Application column shows which app was used to log in. If one of the suspicious apps from step 1 is listed here, it is a strong indicator of misuse.
    • Time: Logins in the middle of the night or on weekends by users who typically only work during business hours.

3. Look for Traces of Large-Scale Data Export

This is a more advanced step that often requires extra tools, but it can reveal the impact of an attack.

  • Tool: If your organization has Salesforce Shield, use Event Monitoring.
  • What to look for:
    • ‘Report Export’ Events: Look for a spike in the number of exported reports. An attacker will often try to download a large amount of data in a short time via reports.
    • ‘API Events’: An unusually high number of API requests from a single user or app, indicating a systematic data download.
    • Without Shield: Manually check the Last Run Date of important reports containing sensitive customer data. Has a report been run recently by an unexpected user?

We're Here to Help

The goal of this step-by-step plan is to give you an overview and, above all, certainty. As you can see, an effective audit always starts with the Connected Apps OAuth Usage page. From there, you use the login history and other tools to get a complete picture.

Whether you have confirmed that everything is in order, or you’ve encountered something unexpected, the most important recommendation is to make this check a routine, for example, on a semi-annual basis. This way, security becomes a regular part of your management, rather than a reaction to an incident.

Are you still left with questions after this check, or did you see something you’re unsure about? Don’t hesitate to get in touch. We are happy to review the situation with you, without obligation, and help you further.

You can reach us via support or by calling +31 85 130 49 35.

In this blog

  • 1. Direct Check: Auditing 'Connected Apps' (Most Important)
  • 2. Analysis of Login History
  • 3. Look for Traces of Large-Scale Data Export
  • We're Here to Help

Lindsey Roumimper

Salesforce Consultant

Ander interessant nieuws

Related interesting news

Important Update: New Usage Policies for Salesforce Connected Apps

Cyber security: digitaal slot

Our 7 Steps to Success

Een versimpelde infographic met onze 7 stappen naar succes.

Salesforce Spring ‘25-release: key updates for consultants, admins, and users

Een bos in de lente op de achtergrond met de tekst 'Salesforce Spring '25 release updates' met de logo's van Salesforce en Welisa
Portretfoto Riekus
Contact

Citadel 28-3, 3905 NK Veenendaal

+31 85 130 49 35

info@welisa.com

KVK 74430513

BTW NL859895361B01

Contact

Expertise

  • Salesforce Consultancy
  • Salesforce Implementation
  • Salesforce Development

Industries

  • Manufacturing
  • Technology
  • Food & Retail
  • Automotive
  • Logistics
  • Non-Profit

Company

  • Customer Stories
  • News and Blogs
  • Jobs
  • About us
  • Contact
Salesforce Summit Partner logo
Afbeelding met tekst 'FD Gazellen winnaar 2021, 2022, 2023 en 2024'
© 2026 Welisa. All rights reserved.
  • Linkedin
  • General terms and conditions
  • Disclaimer
  • Privacy
Scroll to top