Hackers Breach Google’s Salesforce, Steal User Data

Google has confirmed that cybercriminals successfully breached one of its Salesforce database instances in June 2024, becoming the latest high-profile victim in an ongoing campaign targeting cloud-based customer relationship management systems.

The tech giant disclosed the incident on August 5, 2025, revealing that hackers exfiltrated data containing contact information for small and medium businesses stored on the platform.

The breach was attributed to UNC6040, a financially motivated threat group that operates under the alias ShinyHunters during extortion phases.

According to Google’s Threat Intelligence Group, the attackers accessed the corporate Salesforce instance through sophisticated voice phishing (vishing) techniques, retrieving basic business information including company names and contact details during a limited timeframe before access was terminated.

Sophisticated Voice Phishing Campaign

UNC6040’s attack methodology relies heavily on social engineering rather than technical vulnerabilities in Salesforce systems.

The threat actors impersonate IT support personnel in convincing telephone calls to employees, particularly targeting English-speaking staff at multinational corporations across the Americas and Europe.

During these vishing calls, attackers guide victims to Salesforce’s connected app setup page, instructing them to authorize what appears to be a legitimate version of Salesforce’s Data Loader application.

However, the application is actually a modified malicious version that grants the attackers extensive capabilities to access, query, and exfiltrate sensitive information from compromised Salesforce environments.

In some cases, the fake application has been disguised with names like “My Ticket Portal” to align with the social engineering pretext used during calls.

The attackers have evolved their tactics over time, initially using Salesforce’s legitimate Data Loader but now employing custom Python scripts that perform similar functions.

They utilize Mullvad VPN and Tor networks to obscure their activities and have shifted from creating trial accounts with webmail addresses to using compromised accounts from unrelated organizations to register their malicious applications.

Wave of Corporate Victims

Google’s breach represents just one incident in a broader campaign that has affected approximately 20 organizations, according to the company’s threat intelligence analysis.

Security researchers noted that UNC6040 shares tactics and infrastructure with other cybercriminal groups linked to “The Com,” a loosely organized collective of primarily English-speaking hackers known for sophisticated social engineering attacks targeting cloud services and identity platforms like Okta.

Other confirmed victims include luxury fashion house Chanel, insurance company Allianz Life (affecting 1.4 million customers), networking giant Cisco, and airline Qantas.

The threat group operates with a delayed extortion model, often waiting several months after initial data theft before making ransom demands.

During extortion attempts, UNC6240 (the designation for the group’s extortion activities) contacts victim organizations demanding Bitcoin payments within 72 hours while claiming affiliation with the notorious ShinyHunters hacking collective.

Intelligence assessments suggest the attackers may be preparing to escalate their pressure tactics by launching a data leak site (DLS) to publish stolen information from victims who refuse to pay ransoms.

The threat group has been observed using email addresses including shinycorp@tuta[.]com and shinygroup@tuta[.]com for extortion communications.

The success of these campaigns underscores the continuing effectiveness of voice phishing as an attack vector against organizations that have normalized remote IT support and outsourced service desk operations.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.