Briefing: Swearingen v. Salesforce Inc. and Air France

This case is a loser for Salesforce. The October 2, 2025 filing in the Northern District of California puts Salesforce in an impossible position: defend an OAuth implementation it already abandoned as indefensible, or admit the May 2025 breach happened because it knowingly operated an authentication mechanism that invited social engineering attacks. Over one million Air France customers had their data compromised because Salesforce offered Device Flow authentication that functioned as an open door for vishing attacks. Then Salesforce eliminated Device Flow entirely four months later, creating a smoking gun that plaintiffs will wave at every hearing.

The shared responsibility model defense dies the moment plaintiffs show the jury that Salesforce removed the exact feature that enabled the breach. You cannot argue "the customer should have prevented this" when you subsequently decided the risk was so severe that no customer could be trusted to prevent it. That September 2, 2025 decision to terminate all Device Flow sessions immediately and require mandatory administrator approval is Salesforce admitting it built a trap and left it armed until attackers exploited it at scale.

Causes of Action

The complaint asserts the standard data breach menu: negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, breach of fiduciary duty, California UCL, Customer Records Act, and CCPA violations. None of this matters. This case is about negligence and whether Salesforce provided a commercially reasonable authentication mechanism. Everything else is window dressing to maximize settlement value.

What Actually Happened

UNC6040 and UNC6395 threat actors linked to ShinyHunters ran a vishing campaign exploiting OAuth 2.0 Device Authorization Grant flow. They called Air France employees pretending to be IT support, told them to visit Salesforce verification pages, and had them enter eight-character codes. Employees complied because this is exactly how legitimate IT support operates in distributed enterprises. Access tokens went to attacker-controlled Data Loader instances. Data exfiltration proceeded undetected for weeks or months. Extortion demands followed ranging from four to twenty Bitcoin.

Google published the first detailed threat intelligence on June 4, 2025. The Air France breach occurred in May. Salesforce killed Device Flow on September 2, 2025 and nuked every existing session. That four-month gap between public disclosure and remediation is fatal. Salesforce knew in June that Device Flow enabled these attacks and took three months to shut it down. Every breach that occurred between June and September is negligence per se.

The campaign hit hundreds of organizations including Google, Qantas, Adidas, LVMH, Chanel, Allianz Life. This was not a targeted attack on Air France. This was systematic exploitation of a Salesforce authentication feature that worked exactly as designed and exactly as attackers needed it to work.

The Contractual Defense Collapses

Salesforce will argue the Data Processing Addendum creates a shared responsibility model. The platform secures infrastructure. Customers secure access management, application approvals, user authentication, monitoring. Air France employees authorized the malicious apps, therefore Air France failed its security obligations. The contract allocates this risk to the customer.

This argument worked in 2023. It fails in 2025 because Salesforce eliminated the feature that required customers to defend against attacks that industry specifications acknowledged were nearly impossible to prevent. The IETF draft specification published June 2025 states Device Flow is susceptible to consent phishing and implementers should avoid it if risks cannot be mitigated. That is not a recommendation. That is the standards body telling the industry this flow is broken.

When the organization that writes OAuth standards says avoid Device Flow because the risks cannot be sufficiently mitigated, Salesforce cannot turn around and tell Air France it should have mitigated those risks through employee training and monitoring. The standard itself says effective mitigation is not achievable. Salesforce's September decision to remove Device Flow entirely confirms this. The shared responsibility model cannot allocate responsibility for preventing attacks that are designed to be unpreventable by customers.

The contractual limitation of liability provisions face similar problems. Courts enforce these caps between sophisticated parties in commercial contracts. But courts also refuse to enforce caps that violate public policy or excuse gross negligence. Operating an authentication mechanism that OAuth standards bodies describe as inherently vulnerable to social engineering, continuing to operate it for three months after learning it was being exploited at industrial scale, and then eliminating it because the risk was unacceptable is not ordinary negligence. That is gross negligence.

California courts have shown increasing willingness to void limitation clauses in data breach cases when providers fail to implement basic security controls. Salesforce is not accused of failing to implement basic controls. Salesforce is accused of affirmatively offering a feature that made attacks easier and then removing that feature only after widespread exploitation proved it was indefensible. No limitation clause survives that fact pattern.

The Timeline Destroys Salesforce

May 2025: Air France breach occurs via Device Flow exploitation.

June 4, 2025: Google publishes detailed threat intelligence identifying the attack pattern.

Late July 2025: Air France learns of intrusion.

August 2025: Air France notifies customers.

September 2, 2025: Salesforce eliminates Device Flow and terminates all sessions immediately.

This timeline is a plaintiff's dream. Salesforce had detailed threat intelligence for three months showing Device Flow enabled systematic breaches across hundreds of customers. Salesforce took no action for ninety days. Then Salesforce determined the risk was so severe that every Device Flow session had to be killed instantly with no exceptions.

The three-month delay between threat intelligence and remediation is indefensible. If the risk justified immediate termination of all sessions in September, it justified immediate termination in June. Every customer breached between June and September will argue Salesforce knowingly maintained a vulnerable authentication mechanism after learning it was being actively exploited. That is not a shared responsibility failure. That is provider negligence.

The notification delay compounds the problem. Three months between breach occurrence and customer notification violates California breach notification statutes requiring notification without unreasonable delay. Plaintiffs will argue Salesforce's delayed detection and Air France's delayed notification left them exposed to identity theft without warning to monitor financial accounts or credit reports. Negligence per se is established by statutory violation alone.

Marketing Representations Are Evidence, Not Defense

Salesforce maintains SOC 2 Type II attestations, ISO 27001 certifications, detailed security whitepapers, and the Trust website describing comprehensive security controls. The Security, Privacy and Architecture Documentation incorporated into the DPA describes specific technical and organizational measures Salesforce promised to maintain.

Every one of these documents becomes evidence against Salesforce. If the security documentation describes OAuth security controls, threat detection capabilities, or protection against unauthorized application access, plaintiffs use those statements to establish the standard of care Salesforce promised and failed to deliver. SOC 2 reports attesting to access control effectiveness become evidence that access controls failed. ISO certifications become evidence that certified processes did not prevent the breach.

The RFP responses and security questionnaires Salesforce provided to Air France during procurement are particularly dangerous. Enterprise customers ask hundreds of specific questions about OAuth security, application vetting, threat detection, social engineering defenses. If Salesforce represented it implemented controls adequate to prevent these attacks, those representations are implied warranties that override contractual disclaimers.

Salesforce cannot hide behind "we only provide infrastructure security while customers secure access management" when its own documentation promises specific access management security controls. The shared responsibility model fails when the provider's marketing materials take responsibility for the exact security function that failed.

Industry Standards Offer No Shelter

Salesforce will argue its OAuth implementation met industry standards at the time. Device Flow was a published OAuth extension designed for legitimate use cases. Salesforce followed the specification. Other providers offered identical functionality. Meeting industry standards constitutes reasonable care.

This defense fails because industry standards evolved in June 2025 when the IETF published specifications warning that Device Flow is inherently vulnerable and should be avoided. Salesforce continued operating Device Flow for three additional months after the standard said avoid it. Industry practice cannot excuse maintaining a feature that current standards identify as too dangerous to use.

Moreover, industry practice is established by what reasonable providers actually do, not what specifications allow. If peer SaaS platforms deprecated Device Flow before May 2025 or implemented mandatory administrator approval earlier, Salesforce's security posture lagged the industry. Discovery will reveal what AWS, Microsoft Azure, Google Cloud Platform, and other major cloud providers did regarding Device Flow and when. Any provider that moved earlier than Salesforce establishes that earlier action was feasible and reasonable.

The foreseeability argument strengthens the plaintiff case. Scattered Spider conducted similar vishing campaigns against MGM and Caesars in 2023. Microsoft, Mandiant, CrowdStrike published extensive threat intelligence about social engineering attacks on cloud platforms throughout 2023 and 2024. The attack pattern was known, documented, and actively exploited before Air France was breached. Salesforce had constructive knowledge that Device Flow presented social engineering risks and chose to maintain it anyway.

Damages Are Concrete, Not Speculative

Salesforce will argue plaintiffs cannot recover for increased identity theft risk because future harm is speculative. Courts divide on whether risk of future identity theft constitutes injury sufficient for standing and damages. Without evidence of actual misuse, plaintiffs have not suffered compensable harm.

This argument fails factually and legally. Factually, the exfiltrated data included Social Security numbers that cannot be changed once compromised. That creates lifetime exposure, not theoretical risk. Legally, California courts have consistently held that compromise of Social Security numbers alone establishes concrete injury supporting standing and damages. The data type matters more than whether misuse has occurred yet.

Credit monitoring costs are not speculative. They are actual out-of-pocket expenses incurred to mitigate breach harm. If Salesforce and Air France offered free monitoring and plaintiffs accepted, those costs are covered. If plaintiffs reasonably purchased monitoring independently because the offered services were inadequate, those costs are recoverable. The named plaintiff will establish a damages floor that multiplies across the class.

The benefit of the bargain theory is straightforward. Air France customers paid for services. Part of that value included keeping their information secure. Air France failed to provide that security. The difference between value promised and value delivered is compensable. This is basic contract damages not speculative future harm.

Emotional distress is the weakest damages theory requiring physical manifestation or exceptional circumstances. But the other theories provide sufficient damages to drive settlement value without needing emotional distress recovery.

Class Certification Is Likely

Salesforce will challenge commonality by arguing different class members suffered different injuries requiring individualized proof. Some members had only names and emails exposed. Others had Social Security numbers compromised. Damages vary by exposure type.

This fails because all class members share the common question of whether Salesforce negligently maintained Device Flow after learning it enabled systematic breaches. The liability question is identical across the class. Damages variations go to individual calculations after common liability is established, which courts routinely handle through subclasses or claims processes.

Typicality and adequacy challenges fail unless the named plaintiff has unique defenses unavailable to other members. If Swearingen received the same August notification letter as other Air France customers and had similar data exposed, his claims are typical. If he can demonstrate concrete harm through credit monitoring costs or documented identity theft attempts, he adequately represents member interests.

Predominance is easily satisfied because the core questions are whether Salesforce negligently maintained Device Flow and whether Air France adequately secured customer data. These questions apply uniformly across the class. Individual damages calculations do not defeat predominance when liability and causation are common.

Superiority is satisfied because individual actions are economically infeasible given per-plaintiff damages. Class treatment is the only realistic mechanism for adjudicating these claims. Arbitration agreements in airline ticket terms may complicate this analysis but typically fail in consumer protection contexts where statutory rights are at stake.

This Case Settles, Question Is For How Much

Salesforce will not take this to trial. The September security changes are inadmissible evidence in most contexts but devastating here because they directly prove the May security posture was inadequate. You cannot tell a jury "we maintained reasonable security controls" when you eliminated the relevant control four months later because it was too dangerous to operate.

The settlement calculus is straightforward. One million class members. Credit monitoring costs of perhaps fifty to one hundred dollars per person over two years. That is fifty to one hundred million in direct costs before considering statutory damages under California privacy statutes, attorney fees, claims administration, and cy pres awards. The total settlement value likely ranges from one hundred fifty to three hundred million depending on how aggressively plaintiffs push statutory damages theories.

Salesforce will argue far lower values based on limitation of liability caps in the Air France contract. If the cap is twelve months of fees and Air France paid Salesforce ten million annually, the contract caps exposure at ten million. But that cap is not enforceable when gross negligence is established, and maintaining Device Flow for three months after learning it enabled widespread breaches is gross negligence.

The Air France indemnification question multiplies Salesforce's exposure. If the DPA requires Salesforce to indemnify Air France for third-party claims arising from security failures, Air France tenders the entire Swearingen defense and any settlement to Salesforce. That means Salesforce pays its own defense costs, Air France's defense costs, and the entire settlement or judgment. The indemnification provisions in the DPA are the most important unknown fact in this case.

The Real Risk Is Precedent

The settlement value matters less than what this case establishes for future SaaS provider liability. If Salesforce settles for nuisance value and maintains the shared responsibility model applies, nothing changes industry-wide. If Salesforce settles for substantial value and the settlement approval order includes findings that providers cannot offer features they know are vulnerable to social engineering, every SaaS vendor faces increased exposure for authentication mechanism choices.

The Northern District of California is not the worst venue for Salesforce but not the best either. This district has significant experience with technology litigation and data breach class actions. The judges understand SaaS architectures and shared responsibility models. But they also show consumer-protective instincts in privacy cases and less willingness to enforce one-sided liability limitations than some jurisdictions.

The procedural posture favors plaintiffs. Early motion to dismiss based on contractual defenses faces long odds when the complaint adequately alleges negligence and statutory violations. Salesforce needs summary judgment to avoid trial, which requires establishing no genuine dispute that it met the standard of care. The September security changes create a genuine factual dispute about whether May controls were adequate. That dispute goes to a jury.

Prediction

Salesforce settles this case within eighteen months for between one hundred fifty and two hundred fifty million. The settlement includes credit monitoring, a cash fund for documented damages, and cy pres awards to privacy organizations. Salesforce does not admit liability but agrees to maintain enhanced OAuth security controls. The settlement approval order includes minimal findings on the merits to avoid creating precedent.

Air France settles its portion separately or jointly depending on indemnification outcomes. If Air France successfully tenders to Salesforce, Salesforce pays the full amount. If indemnification fails, they split exposure with Salesforce taking sixty to seventy percent based on comparative fault for maintaining Device Flow versus Air France's employee training failures.

The case does not go to trial because Salesforce cannot risk a jury verdict on gross negligence that voids limitation of liability provisions and exposes the company to full damages across every customer breached in the Device Flow campaign. The business risk of adverse precedent on shared responsibility models exceeds the settlement cost.

That is the analysis. Salesforce is defending the indefensible, and everyone involved knows it.