At TecnetOne, we understand how crucial it is to protect your customers’ information. So when a company like Google confirms it was also affected by a data breach linked to attacks on Salesforce, it’s time to pay attention.
What initially appeared to be a targeted campaign against a few organizations has evolved into a wave of active attacks led by the well-known extortion group ShinyHunters. Their goal? Access Salesforce instances, steal customer data, and demand ransom payments. And yes — the attacks are still ongoing.
What Exactly Happened to Google?
In June 2025, Google warned that a threat group — tracked as UNC6040 — was using voice phishing (vishing) to trick employees into giving access to Salesforce instances. The attackers aimed to download customer data and extort companies by threatening to leak the information unless a ransom was paid.
Google has since confirmed that it was also a victim:
“In June, one of Google’s corporate Salesforce instances was compromised through activity similar to what has been described,” - the company stated.
The compromised instance contained contact information and notes related to small and mid-sized businesses. Although Google insists that the access was limited and quickly detected, attackers were able to exfiltrate data during a brief window of time.
What Kind of Data Was Stolen?
According to Google, the stolen information was mostly basic and largely public, such as business names and contact details.
However, even without passwords or financial data, the fact that this information came from Salesforce makes it strategically valuable — as it may be linked to real customers and business relationships.
In other words, basic data becomes dangerous when attackers have volume and context.
Who Is Behind the Attacks?
While Google refers to the attackers as UNC6040 (also UNC6240 in some reports), cybersecurity experts attribute the campaign to ShinyHunters.
This group is infamous in the cybersecurity world for major breaches, including:
- AT&T
- Wattpad
- MathWay
- Oracle Cloud
- PowerSchool
- NitroPDF
- And more recently, the massive Snowflake data thefts
ShinyHunters don’t just steal data — they use it for extortion. If the ransom isn’t paid, they leak or sell the stolen information on hacker forums.
Read more: Azure Traffic Manager vs. Google Cloud DNS
Who Else Has Been Targeted?
Alongside Google, several major companies have been affected by the same campaign, including:
- Adidas
- Qantas
- Allianz Life
- Cisco
- Louis Vuitton, Dior, and Tiffany & Co. (all LVMH subsidiaries)
In at least one documented case, a company paid 4 Bitcoins (~$400,000) to prevent its data from being leaked.
This shows that attackers aren’t targeting a specific industry, but rather exploiting Salesforce as a common entry point to massive data stores.
Why Is Salesforce the Target?
Salesforce is a CRM platform used by millions of companies worldwide to manage customer relationships. As such, it contains highly sensitive information:
- Contact data
- Communication histories
- Contract or deal details
- Internal sales notes
Even partial access to a Salesforce instance gives attackers enough leverage for:
- Extortion
- Identity theft
- Social engineering
- Exposure of confidential business information
How Do Attackers Access Salesforce?
This is not a traditional technical hack. Instead, it’s a well-planned social engineering campaign:
- The attacker calls an employee (vishing), posing as IT or support staff.
- They trick the employee into sharing credentials or granting access to the Salesforce account.
- Once inside, the attacker downloads as much data as possible and disappears.
- The company receives an extortion email: “Pay or we leak your data.”
In many cases, victims aren’t even aware they’ve been tricked — until it’s too late.
Learn more: Azure Functions vs Google Cloud Functions
What Should You Do If Your Company Uses Salesforce?
At TecnetOne, we work with many companies that rely on Salesforce. Here are our key recommendations to avoid becoming the next victim:
Enable Multi-Factor Authentication (MFA)
It adds a strong second layer of protection — even if credentials are stolen.
Train Teams to Recognize Vishing
Many breaches start with a phone call. Teach your staff to question any unexpected calls asking for access or credentials.
Monitor Salesforce Login Activity
Enable alerts for unusual access patterns — like logins from unknown locations or devices.
Apply Role-Based Access Control (RBAC)
Not every user needs access to every record. Enforce least privilege policies to reduce exposure.
Conduct Regular Audits
Review who is accessing what data and why. Pay attention to large exports or downloads.
Conclusion: The Threat Is Real — But You Can Get Ahead of It
Google’s case proves that even the biggest companies are vulnerable to well-executed social engineering campaigns. ShinyHunters are exploiting something as simple as a phone call to infiltrate highly sensitive systems like Salesforce.
If it can happen to Google, Adidas, or Cisco — it can happen to anyone.
We’re here to help you:
- Harden your Salesforce environment and other CRMs
- Train your teams against social engineering and vishing
- Deploy monitoring and incident response solutions
Don’t wait for attackers to test your defenses. Now is the time to assess, reinforce, and protect.
