In a new development in an ongoing cybersecurity campaign, Google has acknowledged a data breach in one of its Salesforce systems carried out by the hacker group ShinyHunters.
The breach, which occurred in early June, compromised one of Googleโs internal Salesforce instances, exposing contact information and notes related to small and medium businesses. Back then, Google’s Threat Intelligence Group (GTIG) had already warned about this threat, labeling the attackers as “UNC6040,โ a financially motivated group, and their extortion arm as “UNC6240.”
Now, in an update to its original post, the tech giant has acknowledged that it had been targeted. According to GTIG, the stolen data was restricted to โbasic and largely publicly availableโ business information, such as business names and contact details. The intrusion was reportedly brief, with access cut off quickly after detection.
“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations,”ย says Google’s update.
“The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off.”
Who Are ShinyHunters?
ShinyHunters, a well-known extortion group, has been linked to a string of high-profile breaches, including at Snowflake, AT&T, NitroPDF, and PowerSchool. This summer, they have claimed responsibility for compromising Salesforce data at companies like Adidas, Qantas, Allianz Life, Cisco, Dior, Louis Vuitton, and Pandora.
This time, they have used voice phishingโor โvishingโโto fool employees into giving up access to cloud services like Salesforce.
A Widening Web Of Attacks
Googleโs breach is just one piece of a much larger campaign by ShinyHunters to steal and weaponize Salesforce data. The group reportedly uses social engineering tactics, such as posing as IT support during convincing phone calls, to trick employees into handing over credentials or approving fake apps connected to a companyโs Salesforce account.
Once inside, they deploy custom scripts or modified Salesforce Data Loader to quietly extract sensitive business data.
In some cases, the attackers use modified versions of these tools disguised with names like โMy Ticket Portalโ to match the pretext they used in their phishing calls.
Importantly, these attacks donโt exploit any flaws in Salesforce itself. The platform remains secure. Instead, the hackers depend on human error, such as manipulating users into giving up credentials or approving malicious connected apps.
The stolen data is then used for ransom demands, with companies receiving threatening emails demanding payment in bitcoin within 72 hours or risk having their information leaked online. In some cases, companies have paid hefty sums to prevent the release of sensitive information, with one company reportedly paying $400,000 to keep its data from being leaked online.ย
Googleโs Response
To help organizations protect themselves from these kinds of social engineering attacksโespecially those involving tools like Salesforce Data LoaderโGoogle has shared several key security measures, including:
- Restricting access to Salesforce Data Loader and connected apps
- Using IP-based access restrictions
- Enforcing multi-factor authentication (MFA) universally
- Monitoring for large data downloads
- Limiting permissions based on roles
โBy implementing these measures, organizations can significantly strengthen their security posture against the types of vishing and the UNC6040 data exfiltration campaign,โ Google concluded.
