‘75M Salesforce Records Exposed’ in Loblaw Breach: Hacker’s Deadline Approaches

•March 18, 2026

Salesforce Ben•Mar 18, 2026

Key Takeaways

•Loblaw breach exposed 75M Salesforce records.
•Threat actor demands response by March 19.
•No passwords, health, or credit data compromised.
•Connected app audit recommended for all Salesforce orgs.
•Similar large-scale breaches expected to continue.

Summary

Canada's largest grocer, Loblaw, disclosed a data breach affecting an estimated 75.1 million Salesforce records, 19.3 million Oracle IDCS identities, and additional datasets. The breach, discovered on a non‑critical network segment, exposed names, phone numbers and email addresses but no passwords, health information, or credit‑card data. A threat actor has set a March 19 deadline, threatening public release of the data if the retailer does not respond. Loblaw has secured the affected systems and logged customers out while investigations continue.

Pulse Analysis

The Loblaw incident underscores how a single misconfiguration in a cloud‑based CRM can cascade into a massive data exposure. While the compromised assets were limited to a non‑critical segment, the sheer volume of Salesforce and Oracle identity records illustrates the depth of integration between retail operations and SaaS platforms. For businesses that rely on Salesforce for customer engagement, the breach serves as a cautionary tale: even without a direct vulnerability in the service, inadequate access controls can grant threat actors unfettered visibility into personal data, eroding consumer trust and inviting regulatory scrutiny.

Security professionals are now urging a comprehensive audit of connected applications within Salesforce environments. Unused or unknown apps often linger with excessive permissions, creating a hidden attack surface that can be exploited without triggering traditional alerts. By enforcing strict approval workflows, limiting user‑generated app installations, and regularly reviewing permission sets, organizations can reduce the likelihood of similar intrusions. The incident also spotlights the importance of robust identity governance; the 19.3 million Oracle IDCS records suggest that identity providers must enforce multi‑factor authentication and continuous monitoring to thwart credential‑theft attempts.

For retailers and other data‑intensive enterprises, the fallout from the Loblaw breach will likely accelerate investments in zero‑trust architectures and incident‑response capabilities. Proactive measures such as encrypted data at rest, granular logging, and rapid customer notification protocols not only mitigate damage but also align with evolving privacy regulations in Canada and beyond. As threat actors continue to weaponize publicly available cloud configurations, companies must treat SaaS security as a core component of their overall risk management strategy, ensuring that every integration point is continuously validated and defended.