Swearingen v. Salesforce and Air France exposes cost of token abuse

Swearingen v. Salesforce Inc. and Air France, was filed on Oct. 2 in the Northern District of California in 2025 after attackers allegedly exploited OAuth tokens and phishing applications to compromise Salesforce systems. According to the complaint, the incident exposed highly sensitive data including names, dates of birth, and Social Security numbers belonging to more than one million individuals. Air France customers, including the plaintiff, received notification letters months later.

The lawsuit frames this as a third-party breach: Salesforce stored the data, and its compromise exposed customers such as Air France. Further, the complaint describes a hub-and-spoke model, with Salesforce as the hub and client companies as the spokes, so a failure at the hub can ripple across every spoke.

Token Theft and Application Exploitation Have a Long History

The mechanics of the Swearingen complaint fit a pattern of token misuse and application exploitation that has driven some of the most serious data incidents of the past few years.

Slack token theft, 2022

Attackers stole employee tokens to access Slack’s GitHub repositories. Slack disclosed that no customer data was affected, but the incident illustrated how developer tokens can become keys to sensitive environments.

Okta support breach, 2023

Okta reported that attackers accessed its customer support system and obtained files containing session tokens. The incident ultimately affected all support users. This breach underscored that session tokens, if exfiltrated, can be repurposed as a broad access path.

In Swearingen v. Salesforce, OAuth tokens and phishing apps allegedly became the entry point for attackers to move data at scale. Tokens are necessary components of modern, stateless or delegated authentication methods: the case shows they are high-value assets that demand protection equal to passwords and encryption keys.

Salesforce and Air France, 2025

The complaint alleges that attackers used OAuth tokens and phishing apps as an initial entry point to exfiltrate data at scale. Tokens, like passwords, must be protected as critical authentication assets.

What Salesforce and Air France have confirmed

Salesforce has acknowledged that a breach occurred in May 2025. Air France disclosed in notification letters that its customer data was accessed by unauthorized parties, and the company mailed notices in August 2025. These are admitted facts drawn from the defendants’ own notices referenced in the complaint.

Everything else in the filing, including the hub-and-spoke liability theory, claims of negligence, and allegations of delayed notification, remains alleged, not adjudicated.

How the alleged attack unfolded

Alleged OAuth token exploitation

The complaint states attackers abused OAuth tokens and phishing apps to gain access to Salesforce environments. Once access was achieved, they allegedly exfiltrated sensitive identifiers at scale.

Hub and spoke ripple effect

Because Salesforce acts as a central hub for multiple enterprise customers, the breach allegedly spread its impact outward to organizations like Air France. Plaintiffs argue this interconnectedness magnifies both the harm and the duty of care.

Alleged Link to UNC6395

According to the complaint, Google’s Threat Intelligence team linked the attack to a group known as UNC6395, which has reportedly been targeting Salesforce customers. Plaintiffs point to this as evidence that such attacks were foreseeable.

Timeline and scope of the alleged Salesforce breach

May 2025: Attackers allegedly compromised Salesforce systems using OAuth token exploits and phishing apps.

July 2025: Multiple sources claim Air France learned in late July of a related intrusion, but no source shows when the Air France intrusion occurred.

August 2025: Air France notified affected customers. The delay is part of the plaintiff’s claim that notification was not prompt.

Scope: The complaint alleges that data belonging to more than one million individuals was exposed, including Social Security numbers.

The complaint argues that these identifiers are especially damaging because they cannot be changed once exposed. This fuels the plaintiff’s claim of long-term identity-theft risk.

Legal exposure in plain language

Alleged duties and failures

The lawsuit claims Air France had a duty to keep customer data safe, did not do enough to protect it, did not stop the leak, and did not tell people fast enough.  

Causes of action and requested relief

Plaintiffs seek damages and injunctive relief, including enhanced logging, third-party audits, stronger employee education, and SOC 2 Type 2 assessments over multiple years. These requests are typical in breach cases and align with what regulators expect in security frameworks.

Harm theory and claimed damages

The complaint asserts risks of identity theft, invasion of privacy, and economic losses. Plaintiffs allege that time spent addressing breach fallout, plus the intangible loss of trust, constitute measurable harm. These allegations would need to be proven in court.

Preventive guidance for enterprise security teams

Whether or not the court rejects the hub-and-spoke theory, the complaint highlights familiar risks: tokens abused as skeleton keys, delayed breach notifications, and data over-collection. CISOs can treat these as preventive lessons.

Token management is enterprise risk

Tokens must be handled like credentials. Treat OAuth tokens, API keys, and session tokens as sensitive secrets, not disposable conveniences. Policies for rotation, revocation, and monitoring need to be explicit and enforced.

Shared platforms don’t erase liability

Even if the breach originates in a vendor’s environment, your customers hold you accountable. Vendor risk management is not an IT formality — it is executive liability.

Notification speed matters

Delays invite regulatory action and bolster plaintiff claims. CISOs should test and document notification procedures to meet the strictest applicable timelines.

Minimization and retention reduce blast radius

If your systems hold Social Security numbers or similarly sensitive identifiers, be prepared to justify why. Courts look closely at over-retention.

Documentation is your shield

Courts and regulators expect evidence: policies, audit logs, contracts, and risk assessments. “We followed industry standards” only holds up if you can prove it.

ThreatLocker^® controls that prevent OAuth token exploitation

Each attack step in the complaint has preventive lessons, and ThreatLocker answers the call.  

Deny by default at the endpoint

Allowlisting prevents unauthorized tools from running. Even maliciously installed apps cannot execute, since they aren't explicitly approved.

Restrict application interaction

Ringfencing™ limits what approved apps can connect to or access. It prevents a legitimate-looking app from exfiltrating sensitive records at will.

Limit token exposure

Network Control enforces least-privilege network connectivity. Even if malware is successfully executed, it won’t be able to connect to a remote command and control server.

Prevent privilege abuse

Elevation Control grants admin rights to apps, not to whole users. Blanket elevated permissions are easy to configure, but difficult to track and maintain. Elevation Control applies just-in-time administrative access to individual applications the instant an administrator approves a user’s request for elevation.

Constrain storage and egress

Storage Control defines where data can live and where it can go. Exfiltration channels via unauthorized apps or removable media are blocked.

Detect and respond quickly

ThreatLocker Detect isolates endpoints in minutes, reducing dwell time. Detect cuts off large-scale exports even if a token is already abused. The ThreatLocker MDR team monitors Detect alerts 24/7/365.

Harden the M365

Cloud Detect for Microsoft 365 monitors for suspicious sign-ins or anomalous token use and alerts security teams before abuse becomes data loss.

SaaS access review checklist

IT operations

• Inventory SaaS apps and users quarterly.
• Enforce MFA or SSO on sensitive platforms.
• Revoke dormant accounts and application subscriptions.

GRC and compliance staff

• Require documented SaaS access reviews.
• Map SaaS apps to compliance requirements.
• Keep centralized records of token policies, MFA status, and log retention.

Security architects

• Integrate SaaS authentication with your IdP.
• Enforce conditional access by device location and deny authentication to devices with too many compliance violations.
• Monitor SaaS logins for anomalies.

CISOs and security leaders

• Require security reviews of all new SaaS purchases.
• Track MFA adoption, SSO coverage, and access review completion rates.
• Add token-abuse scenarios to tabletop exercises.

Next step: Strengthen the token trust chain

In Swearingen v. Salesforce, attackers allegedly exploited OAuth tokens to open a floodgate of sensitive data. That’s the cautionary tale: tokens are identities, and identities are the new perimeter.

ThreatLocker® Cloud Control continuously monitors SaaS and identity platforms to flag suspicious logins, risky device behaviors, and token misuse. By closing these pathways, enterprises can reduce the chance of ever facing their own hub-and-spoke lawsuit.

Meet the world’s leading Zero Trust platform

Allow what you need. Block everything else by default, including ransomware and rogue code. Book your demo today.

‍