Google’s Salesforce Database Breach: What You Need to Know
In a significant cyber incident, Google’s Salesforce database, used to oversee contacts for small and medium-sized businesses (SMBs), was recently compromised by a notorious cybercriminal group named ShinyHunters. This group, tracked internally by Google as UNC6040, exploited weaknesses in human behavior rather than technical flaws to breach the system in June 2025.
Overview of the Breach
According to a blog post from Google’s Threat Intelligence Group (GTIG), the attackers successfully accessed and extracted basic business information, which included names and contact details of SMBs. This compromised data, although primarily publicly available, raised serious concerns regarding the security of sensitive information held within Google’s internal Salesforce framework tailored for SMB engagement.
Attack Techniques: Voice Phishing and Data Loader Exploits
Remarkably, the breach was not due to a security flaw in Salesforce itself. Instead, the attackers employed voice phishing tactics, also known as “vishing.” By impersonating IT personnel, they managed to convince Google employees to allow a malicious application into their Salesforce environment.
The harmful application was often disguised as a legitimate tool, such as a modified version of Salesforce’s Data Loader. These deceptive names, often appearing as “My Ticket Portal,” were carefully chosen to match the vishing narrative and mislead employees.
Once they gained access, the attackers utilized custom Python scripts to automate data extraction, moving away from reliance on Salesforce’s official Data Loader. This added layer of sophistication allowed them to mask their actions through anonymity services like TOR or VPNs, complicating efforts to trace their activities.
The Groups Behind the Attack: UNC6040 and UNC6240
GTIG has classified the individuals responsible for this breach as UNC6040, a financially motivated group intent on infiltrating Salesforce platforms using social engineering strategies. Following the initial data theft, another group, identified as UNC6240, emerged to launch extortion attempts against the affected organizations.
These extortion efforts commenced weeks or even months after the breach, with emails and phone calls demanding Bitcoin payments. Victims of UNC6240 are often threatened with the public release of stolen data. Notably, these communications frequently claim links to ShinyHunters, a name already associated with several high-profile breaches in recent years.
GTIG has identified known email addresses used by this group in their extortion attempts, including:
- shinycorp@tuta[.]com
- shinygroup@tuta[.]com
There are also indications that the attackers may be developing a data leak site (DLS) to publish the stolen information—an alarming tactic increasingly common among ransomware groups aiming to pressure victims into compliance.
Unique Infrastructure and Evolving Tactics
The attackers implemented a variety of sophisticated infrastructures, including phishing panels mimicking legitimate Okta login pages, used to harvest user credentials and multi-factor authentication (MFA) codes during vishing calls. They even took advantage of compromised third-party accounts—not just trial Salesforce accounts—to register their malicious applications. This evolution reflects a heightened level of operational security.
GTIG noted a particular focus on English-speaking employees at multinational companies, specifically targeting IT staff. By doing so, the attackers were able to exploit these employees’ elevated access privileges, enhancing their chances of success in the breach.
In several instances, the data exfiltration was limited—some attackers managed to extract only a 10% sample of their targeted data. Others adjusted their extraction strategies based on preliminary querying, demonstrating a calculated approach to data collection.
Key Takeaways on Data Security
This breach serves as a stark reminder of the vulnerabilities facing organizations that rely on cloud-based systems like Salesforce. Threat actors such as ShinyHunters frequently employ innovative social engineering tactics that can bypass traditional defenses. The importance of employee vigilance cannot be overstated; without robust security measures and training against social engineering, even the most advanced technical defenses can fall short.
Organizations are urged to tighten access controls, enhance multi-factor authentication, and train their staff to recognize potential phishing attempts. Even after detecting a breach, it’s essential to remain vigilant about long-term risks—especially when attackers like UNC6040 and UNC6240 are involved.
Cybersecurity is a collective responsibility, and preparing for future threats is as crucial as addressing current vulnerabilities.
