Google has now confirmed that it, too, was a victim of the Salesforce-targeting campaign its own threat team discovered in June.
The company revealed this in an update published August 5. The earlier post warned that a threat group, tracked as UNC6040, was using voice phishing (vishing) to steal data from Salesforce environments. And now, Google admitted that one of its corporate Salesforce instances was breached in June. That system held basic contact info and related notes for small and medium businesses. The data stolen was limited to business names and contact details—information that’s mostly public—but it was still taken before access was shut down.
This is striking. Google’s own team issued the warning. But a few months later, the same campaign got inside. It shows how dangerous social engineering can be, even inside a top-tier company.
What’s UNC6040? The Role of ShinyHunters
The campaign is tracked under the code name UNC6040 by Google’s Threat Intelligence Group (GTIG). They say the group specializes in vishing. That means calling staff while pretending to be IT support, to trick them into installing malware or giving up access.
In this case, the attackers use a modified version of Salesforce’s Data Loader tool. Data Loader is meant for importing or exporting large volumes of data. But the fake version is controlled by the attacker. When an employee gives it permission, it becomes a gateway to exfiltrate data.
GTIG says UNC6040 has hit around 20 organizations across Europe and the Americas. Those include hospitality, retail, and education sectors. The attacks happen over phone calls. The attacker walks the employee through setting up the malicious app. Once inside Salesforce, the attacker can steal, and even move across to platforms like Okta or Microsoft 365.
And that’s not all. UNC6040 appears to hand off extortion to another cluster, tracked as UNC6240. UNC6240 makes calls or sends emails demanding bitcoin within 72 hours. They often claim to be the group ShinyHunters—a well-known cybercrime brand. They may also be planning a data leak site to pressure victims further.
Google’s Breach: What Actually Happened
Unlike an exploit or software flaw, this was pure human manipulation. UNC6040 didn’t break code. They broke trust. And they did it through a simple trick: convincing someone that the fake Data Loader tool was legit.
When Google realized it had a problem, it acted fast. It cut off access. The breach lasted a short time. The only things stolen were contact info and small-business notes. These aren’t sensitive by default. But once stolen, even public contact info can feed phishing, spam, or more targeted attacks.
Still, attackers bragged. A member of ShinyHunters told BleepingComputer they had breached a trillion-dollar company and might just leak the data. It’s not confirmed that was Google. But it shows the confidence behind the campaign.
Other Victims: The Broader Campaign
Google isn’t alone. Reports point to other big names in the same campaign. Those include Adidas, Qantas, Allianz Life, Pandora, Chanel, Cisco, and several luxury brands under LVMH like Louis Vuitton, Dior, and Tiffany & Co.
Cisco also revealed it faced a vishing attack. Attackers accessed CRM data via Salesforce. Fortunately, they didn’t get passwords or sensitive internal data. Still, it showed the same method at work.(Computing)
The pattern is clear: attackers target Salesforce systems in multiple organizations. They rely on social trickery, not bugs or zero-days.
What This Means for Cloud Security
These attacks highlight a few unsettling truths:
- Social engineering works. A convincing phone call can bypass sophisticated systems.
- Cloud platforms can be fish in a barrel when trust is misplaced.
- Even top teams can fall for it if procedures are weak or complacent sets in.
- Breach doesn’t always mean super-sensitive data. But even public info can still hurt.
It also raises another point: extortion might lag behind theft. Organizations should watch their inboxes and phones in the months after a breach.
How to Protect Salesforce and Stop Vishing
Based on Google’s advice and reporting, here are straight-forward steps companies can take:
- Limit who can install apps. Only trusted admins should manage connected apps. Use least privilege.
- Review connected apps regularly. Don’t assume an app is safe. Check its name, access, and who published it
- Set login IP ranges. If corporate users only log in from office IPs, block logins from outside or from VPNs.
- Use Salesforce Shield / event monitoring. Watch for large exports or suspicious activity. Shut down abnormal usage.
- Require MFA for all logins. It doesn’t stop every scam, but it makes life harder for attackers.
- Train employees. Vishing only works if they fall for it. Run drills and teach staff how to verify callers.
- Respond fast. If you detect unauthorized access, cut it off. Analyze impact. Get ready in case extortion attempts follow.
