Aug 06, 2025 (UTC) - Google has confirmed a data breach involving one of its cloud-based Salesforce databases, which exposed customer information. The breach, attributed to the hacking group ShinyHunters, tracked as UNC6040 by Google’s Threat Intelligence Group (GTIG), targeted a database used to store contact details and related notes for small and medium-sized businesses. The incident, reported on August 6, 2025, involved the theft of basic, largely publicly available information such as business names and contact details, according to Google’s statement.
The breach was executed through sophisticated voice phishing (vishing) attacks, where attackers impersonated IT support personnel to deceive employees into authorizing a malicious version of Salesforce’s Data Loader application. This tool, typically used for importing, exporting, and managing data in Salesforce environments, was modified—sometimes renamed as “My Ticket Portal”—to trick users into granting access to sensitive data. Once access was obtained, the hackers exfiltrated data and, in some cases, moved laterally to other platforms like Okta, Microsoft 365, and Workplace, amplifying the scope of the breach.
Google’s GTIG noted that the stolen data has not yet appeared on public leak sites, but the company suspects ShinyHunters may be preparing a data leak site to pressure victims into paying ransoms, a tactic commonly used by ransomware groups. Extortion attempts often occur months after the initial breach, suggesting possible collaboration with secondary actors, such as those claiming affiliation with ShinyHunters, to monetize the stolen data. Google has not disclosed the number of affected customers or whether it received ransom demands, and a company spokesperson did not respond to inquiries.
This incident is part of a broader wave of attacks targeting Salesforce CRM systems. Companies such as Qantas, Allianz Life, LVMH, Adidas, Cisco, and Pandora have recently reported similar breaches linked to ShinyHunters, highlighting the group’s focus on cloud-based platforms. The attacks exploit social engineering rather than vulnerabilities in Salesforce’s infrastructure, as confirmed by both Google and Salesforce. The hacking group is believed to have ties to “The Com,” a loose collective of cybercriminals that includes Scattered Spider, known for similar tactics.
Google’s report indicates that approximately 20 organizations across sectors like hospitality, retail, and education in the Americas and Europe have been targeted by UNC6040 since early 2025. The group uses infrastructure like Mullvad VPN IPs to obscure its activities and has employed phishing pages mimicking Okta login panels to steal credentials and multifactor authentication codes. Salesforce has emphasized that these incidents stem from user manipulation, not platform vulnerabilities, and recommends restricting API permissions, limiting app installation rights, and blocking commercial VPN access to mitigate risks.
The ongoing campaign underscores the growing threat of vishing as a vector for data theft and extortion. Organizations using Salesforce are urged to enhance user training, enforce least-privilege access, and monitor connected apps to prevent similar attacks. Google continues to track the threat, warning that additional victims may face extortion demands in the coming months.
For those seeking more information or who may have been affected, Google’s blog post provides further details, and Salesforce has published guidance on protecting environments from social engineering attacks.
