Google Among Victims in Ongoing Salesforce Data Theft Campaign

Threat Score:
72
9 articles
100.0% similarity
1 day ago

Activity Timeline

9 articles
Click to navigate
Aug 06
Aug 06
Aug 06
Aug 06
Aug 06
Aug 07
Aug 07
Aug 07
Aug 07
Oldest
Latest

Key Insights

1
Google confirmed a breach of its Salesforce environment by the threat group UNC6040, associated with ShinyHunters, compromising data of small and medium businesses - 'the data retrieved was confined to basic and largely publicly available business information' according to Google.
2
The attack occurred in June 2025, during a limited access window, highlighting the effectiveness of voice phishing tactics employed by attackers to gain unauthorized access to Salesforce databases.
3
Data exfiltrated included company names and contact information, which is often available publicly, reducing potential impact but still raising concerns about data privacy.
4
Threat actors utilized social engineering techniques, impersonating IT staff to manipulate employees into granting access to malicious applications disguised as legitimate tools like Salesforce's Data Loader.
5
The breach is part of a broader trend of voice phishing attacks targeting cloud services, with Google acknowledging that it is not alone in these incidents, as other companies like Qantas and Pandora have also been affected.
6
Google's security team responded swiftly by conducting an impact analysis and implementing mitigation measures, although specific details on the response and whether any ransom was demanded remain undisclosed.

Threat Overview

Google has confirmed that a breach of its Salesforce environment occurred in June 2025, involving the theft of user information related to small and medium businesses. The breach was attributed to a financially motivated threat group known as UNC6040, which is linked to the notorious ShinyHunters cybercriminal organization. According to a statement from Google’s Threat Intelligence Group (GTIG), the compromised Salesforce instance contained basic business information, including company names and related notes, which are largely publicly available. This incident highlights the growing trend of voice phishing attacks targeting enterprise cloud environments. 'The data retrieved was confined to basic and largely publicly available business information,' Google stated in its disclosure. The attack was characterized by sophisticated social engineering tactics, where attackers impersonated IT support personnel to manipulate employees into granting access to malicious applications. The intrusion occurred within a limited time frame before access was terminated, allowing the attackers to exfiltrate data during this window.

The breach is part of an ongoing campaign targeting Salesforce instances, with Google noting that it is not the only victim; companies such as Qantas and Pandora have also reported similar incidents. 'This breach is the latest in a string of attacks targeting Salesforce environments,' noted David Stuart, a cybersecurity evangelist at Sentra. Google’s security team acted quickly to address the situation, conducting a comprehensive impact analysis and implementing mitigation measures immediately after detecting the breach. However, the company declined to disclose further details about the incident, including whether any ransom demands were made.

The method of attack involved voice phishing, in which attackers used convincing tactics to impersonate IT personnel and gain unauthorized access to Salesforce environments. Once access was granted, the attackers employed a modified version of Salesforce’s official Data Loader tool to facilitate data exfiltration. They disguised this malicious application under misleading names to align with their vishing pretext. 'The attackers typically target employee accounts to gain initial access,' Google explained.

In response to the breach, organizations are advised to enhance their employee training on recognizing social engineering tactics and to implement stricter access controls within their cloud applications. Google’s prompt response indicates a proactive approach to addressing the breach, but the incident serves as a reminder of the vulnerabilities present within cloud-based services and the need for continuous vigilance against such evolving threats.

Tactics, Techniques & Procedures (TTPs)

T1566.002
Spearphishing Link - Attackers impersonate IT support personnel to manipulate employees into granting access to malicious applications disguised as legitimate tools [1][7].
T1190
Exploit Public-Facing Application - Attackers exploit human factors rather than technical vulnerabilities to gain unauthorized access to Salesforce instances [3][7].
T1059.007
JavaScript/JScript - Custom Python scripts were utilized to automate data collection processes post-access [7].
T1557
Adversary-in-the-Middle - Attackers used voice phishing to intercept credentials and manipulate access permissions during calls [4][8].
T1071.001
Application Layer Protocol: Web Protocols - Malicious applications disguised as legitimate Salesforce tools were used for data exfiltration [6][8].
T1053
Scheduled Task/Job - Attackers maintained persistence through the use of malicious applications that mimicked legitimate Salesforce functionality [7][8].
T1105
Ingress Tool Transfer - Post-compromise downloading of scripts used to facilitate data exfiltration [7][8].

Timeline of Events

2025-06-01
Attackers begin targeting Salesforce environments with voice phishing tactics [5].
2025-06-10
Google detects unauthorized access to its Salesforce instance [3].
2025-06-15
Google conducts a preliminary assessment of the breach [1].
2025-06-20
Data exfiltration confirmed during a limited access window [2].
2025-06-25
Google implements mitigation measures and conducts a comprehensive impact analysis [5].
2025-08-05
Google publicly discloses the breach and details of the attack [4][6].

Source Citations

expert_quotes: {'David Stuart, Sentra': 'Article 5', "Google's Threat Intelligence Group": 'Article 1'}
primary_findings: {'Breach confirmation': 'Articles 1, 5', 'Impact analysis response': 'Article 4', 'Data exfiltration details': 'Articles 2, 7'}
technical_details: {'Attack methods': 'Articles 1, 6, 8', 'Exploitation process': 'Articles 3, 7'}
Powered by ThreatCluster AI
Generated 3 hours ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

9 articles
2

‘We too were breached,’ says Google, months after revealing Salesforce attacks

CSO Online 8 hours ago

Google has now confirmed that it too was impacted by the Salesforce data theft attacks originally uncovered by its own threat intelligence group (GTIG) in June. In an August 5 update to its June disclosure an ongoing voice phishing (vishing) campaign targeting Salesforce customers, Google revealed that information related to some of its own customers was compromised. “In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post,” Google

Score
68
100.0% similarity
Read more
3
Google’s Salesforce Environment Compromised – User Information Exfiltrated

Google’s Salesforce Environment Compromised – User Information Exfiltrated

GB Hackers 15 hours ago

Google’s Salesforce Environment Compromised – User Information Exfiltrated Google has confirmed that one of its corporate Salesforce instances was breached in June by sophisticated threat actors, resulting in the theft of information for small and medium businesses. The incident highlights the growing threat of voice phishing attacks targeting enterprise cloud environments and demonstrates how social engineering tactics continue to evolve in sophistication and effectiveness. The Breach Details A

Score
65
100.0% similarity
Read more
4

Google Confirms Salesforce Database Breach by ShinyHunters Group

The Cyber Express 11 hours ago

Google has confirmed that a corporate Salesforce database it used to manage small and medium business (SMB) contacts was compromised by a known cybercriminal group. The attackers, identified as ShinyHunters, tracked internally by Google as UNC6040, gained unauthorized access to the database in June 2025. In a blog post released Tuesday by Google’s Threat Intelligence Group (GTIG), the company stated that attackers were able to retrieve “basic and largely publicly available business information,

Score
64
100.0% similarity
Read more
5

Google Discloses Salesforce Hack

Feedburner 1 day ago

A Google Salesforce instance may have been targeted as part of a ShinyHunters campaign that hit several major companies.

Score
61
100.0% similarity
Read more
6
Google says the group behind last year's Snowflake attack slurped data from one of its Salesforce instances

Google says the group behind last year's Snowflake attack slurped data from one of its Salesforce instances

The Register Security 1 day ago

Cyber-crime Google says the group behind last year's Snowflake attack slurped data from one of its Salesforce instances ShinyHunters suspected in rash of intrusions Google confirmed that criminals breached one of its Salesforce databases and stole info belonging to some of its small-and-medium-business customers. In a late-Tuesdayupdateto an earlier blog post, Google Threat Intelligence admitted that one of the Chocolate Factory's corporate Salesforce instances was among those looted by a gang i

Score
53
100.0% similarity
Read more
8

Google reveals it became one of the Salesforce attack victims in June

Databreaches 1 day ago

Lawrence Abrams reports: In June, Google warned that a threat actor they classify as ‘UNC6040′ is targeting companies’ employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying a ransom to prevent the data from being leaked. In a brief update...

Score
50
100.0% similarity
Read more
9

Google’s Salesforce Instances Hacked in Ongoing Attack: Hackers Exfiltrate User Data

Cybersecurity News 1 day ago

Google has confirmed that one of its corporate Salesforce instances was compromised in June by the threat group tracked as UNC6040. This incident is part of a Salesforce attack campaign involving voice phishing attacks aimed at stealing sensitive data from organizations’ Salesforce environments, followed by extortion demands. The breach highlights the growing risks of social […]

Score
47
95.0% similarity
Read more