Thought Leadership
Google has become the latest victim in a wave of cyberattacks by the Shiny Hunters group targeting Salesforce instances, which is currently affecting numerous companies worldwide. Contact data from small and medium-sized businesses has been compromised in these incidents.
The search engine giant has acknowledged a security breach in its own IT systems. According to the company, cybercriminals successfully penetrated an internal Salesforce installation in June and accessed sensitive data. Ironically, Google had previously warned other organizations against such attacks. This incident is part of a broad-based attack campaign that has already affected several Fortune 500 companies.
Compromising CRM Infrastructure
According to Google’s Security Team, the breach was carried out by the threat actor UNC6040. Google reports that UNC6040 has previously presented itself as a partner of the notorious Shiny Hunters group. However, current reports from BleepingComputer suggest that the well-known cybercrime organization Shiny Hunters is directly responsible for these attacks. The attackers gained access to a Salesforce environment and copied stored contact data as well as associated metadata from small and medium-sized business customers.
In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off. The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.
Shiny Hunters operates using a multi-stage attack methodology. The group specializes in voice phishing attacks (vishing) and employs social engineering techniques to initially compromise cloud services.
Widespread attack campaign
The Google incident is part of a comprehensive campaign targeting Salesforce infrastructures across multiple organizations. Confirmed victims include major international corporations such as Adidas, Allianz Life, Cisco Systems, and LVMH subsidiaries including Dior and Louis Vuitton. Danish jewelry manufacturer Pandora A/S has also reported similar security incidents.
While Salesforce itself has not confirmed any system compromise on its end, these incidents highlight the vulnerability of cloud service customers to targeted social engineering attacks. The pattern suggests that attackers are exploiting human factors rather than technical vulnerabilities in the Salesforce platform itself.
