Google Confirms Salesforce Data Breach by ShinyHunters via Vishing Scam

In a recent revelation, Google has confirmed that one of its internal databases was breached by a well-known cybercriminal organization. The Google Threat Intelligence Group (GTIC), which was already investigating the activities of the group known as ShinyHunters (or UNC6040), disclosed that its own Salesforce database was accessed in June. The attack exposed information belonging to Google’s small and medium-sized business clients.

The company stated that the breach was contained quickly, and the hackers had access for only a “small window of time.” The stolen data was described as “basic and largely publicly available,” consisting of business names, contact details, and some related notes. While Google did not disclose the full scale of the breach, the incident highlights a growing security concern for all businesses, including technology giants.

Deception, Not Technical Flaws

This attack was not a traditional hack exploiting a software flaw, but a sophisticated social engineering scheme. The hackers used a method called vishing (voice phishing) where they impersonated a company’s IT support staff in a phone call.

During the call, they tricked a Google employee into approving a malicious application disguised as a legitimate tool, the Salesforce Data Loader. This fraudulent app granted the hackers access to the database, allowing them to steal information.

As per Google Threat Intelligence Group’s (GTIG) research, UNC6040 is responsible for intrusions, while a separate group, UNC6240, handles the extortion, demanding Bitcoin payments within 72 hours. The company also warns that hackers have updated their tools and may be planning to launch a Data Leak Site (DLS) to pressure victims.

“The news that Google has suffered a data breach in the recent wave of attacks executed by ShinyHunters highlights that no organisation is immune to cybercrime,” said William Wright, CEO of Closed Door Security. “It doesn’t matter if you are a small business or one of the world’s leading technology firms, all organisations are vulnerable.”

He also emphasised that employee training and the use of MFA are key to blocking these attacks in their early stages.

A Bigger and Growing Threat

This breach is part of a larger trend of attacks by the ShinyHunters group. Over the past year, Hackread.com has reported the group’s links to several high-profile incidents, including a massive breach at Santander bank in May 2024 and another at Ticketmaster that affected over 560 million customers globally.

The threat is still active, as luxury fashion brand Chanel also recently announced it suffered a data breach in July, affecting some of its US customers via a third-party Salesforce database. Google’s report also warns that ShinyHunters may be planning to escalate its activities by launching a public data leak site.

In response to the attack, Google said it took immediate action to secure its systems and notify affected clients. The company also advises other businesses to strengthen their defences with better employee training, multi-factor authentication, and stricter access controls to prevent similar social engineering attacks.