ShinyHunters Hack Targets Salesforce Data of Google Customers
Table of Contents
ShinyHunters (also known as UNC6040), a cybercriminal group, recently compromised Salesforce databases containing basic business information belonging to Google customers. The breach, which occurred in early August 2025, involved accessing contact information and records of small and medium-sized businesses. google has confirmed the incident and is working with affected customers. https://cloud.google.com/security/bulletins
attack Vector: Voice Phishing and Custom Scripts
The attackers gained initial access through sophisticated voice phishing attacks, targeting employees within organizations. These calls, often originating from IP VPNs or Tor networks to mask their location, involved perpetrators impersonating IT personnel. They successfully tricked employees into revealing user credentials and multi-factor authentication codes.
Once inside the network, ShinyHunters initially utilized the Salesforce Data Loader application to extract data. However, Google security analysts observed a shift in tactics, with the group increasingly employing custom Python scripts designed to perform similar data exfiltration functions. This indicates a move towards more specialized tools to avoid detection. https://thehackernews.com/2024/08/shinyhunters-hack-google-salesforce.html
Extortion Attempts and Data Leak Site
Following the data theft, ShinyHunters attempted to extort victims by demanding payment in Bitcoin within 72 hours. Extortion communications were sent from the email addresses [email protected] and [email protected].
Google believes ShinyHunters is preparing to launch a data leak site to further pressure victims.This tactic is a common practice among ransomware and extortion groups, where stolen data is publicly released if demands are not met. https://securityaffairs.co/156991/security/shinyhunters-google-salesforce-hack.html
Limited Data Scope, But Critically important Risk
Google has stated that the compromised data is “limited to basic business information” and largely consists of publicly available details like business names and contact information. However, even publicly available data can be leveraged for further attacks, such as targeted phishing campaigns or social engineering attempts. The compromise of Salesforce credentials also poses a significant risk, perhaps allowing attackers to access more sensitive data within the affected organizations.
Understanding ShinyHunters (UNC6040)
ShinyHunters is a prolific hacking group known for data breaches targeting various companies, often focusing on customer databases. They typically employ credential stuffing, phishing, and exploiting vulnerabilities in publicly facing applications. The group has been active since at least 2020 and is believed to operate from Eastern Europe. https://mandiant.com/resources/blog/shinyhunters-continues-data-theft-and-extortion-campaigns
Mitigation and Prevention
Organizations using Salesforce should take the following steps to mitigate the risk of similar attacks:
Strengthen Multi-Factor Authentication (MFA): Ensure MFA is enabled for all users and consider more robust MFA methods beyond SMS-based codes.
Employee Training: Conduct regular security awareness training for employees,focusing on identifying and reporting phishing attempts,especially voice phishing. Credential Monitoring: Implement systems to monitor for compromised credentials and proactively reset passwords if a breach is suspected.
Least Privilege Access: Grant users only the minimum level of access necessary to perform their job functions.
* Regular Security Audits: Conduct regular security audits of Salesforce configurations and integrations.
Looking Ahead
The ShinyHunters attack highlights the ongoing threat posed by sophisticated cybercriminal groups and the importance of proactive security measures. As attackers continue to evolve their tactics, organizations must remain vigilant and adapt their defenses accordingly. Google’s ongoing examination and collaboration with security researchers will be crucial in understanding the full scope of the breach and preventing future incidents.