At TecnetOne, we understand how crucial it is to protect your customers’ information. So when a company like Google confirms it was also affected by a data breach linked to attacks on Salesforce, it’s time to pay attention.
What initially appeared to be a targeted campaign against a few organizations has evolved into a wave of active attacks led by the well-known extortion group ShinyHunters. Their goal? Access Salesforce instances, steal customer data, and demand ransom payments. And yes — the attacks are still ongoing.
In June 2025, Google warned that a threat group — tracked as UNC6040 — was using voice phishing (vishing) to trick employees into giving access to Salesforce instances. The attackers aimed to download customer data and extort companies by threatening to leak the information unless a ransom was paid.
Google has since confirmed that it was also a victim:
“In June, one of Google’s corporate Salesforce instances was compromised through activity similar to what has been described,” - the company stated.
The compromised instance contained contact information and notes related to small and mid-sized businesses. Although Google insists that the access was limited and quickly detected, attackers were able to exfiltrate data during a brief window of time.
According to Google, the stolen information was mostly basic and largely public, such as business names and contact details.
However, even without passwords or financial data, the fact that this information came from Salesforce makes it strategically valuable — as it may be linked to real customers and business relationships.
In other words, basic data becomes dangerous when attackers have volume and context.
While Google refers to the attackers as UNC6040 (also UNC6240 in some reports), cybersecurity experts attribute the campaign to ShinyHunters.
This group is infamous in the cybersecurity world for major breaches, including:
ShinyHunters don’t just steal data — they use it for extortion. If the ransom isn’t paid, they leak or sell the stolen information on hacker forums.
Read more: Azure Traffic Manager vs. Google Cloud DNS
Alongside Google, several major companies have been affected by the same campaign, including:
In at least one documented case, a company paid 4 Bitcoins (~$400,000) to prevent its data from being leaked.
This shows that attackers aren’t targeting a specific industry, but rather exploiting Salesforce as a common entry point to massive data stores.
Salesforce is a CRM platform used by millions of companies worldwide to manage customer relationships. As such, it contains highly sensitive information:
Even partial access to a Salesforce instance gives attackers enough leverage for:
This is not a traditional technical hack. Instead, it’s a well-planned social engineering campaign:
In many cases, victims aren’t even aware they’ve been tricked — until it’s too late.
Learn more: Azure Functions vs Google Cloud Functions
At TecnetOne, we work with many companies that rely on Salesforce. Here are our key recommendations to avoid becoming the next victim:
It adds a strong second layer of protection — even if credentials are stolen.
Many breaches start with a phone call. Teach your staff to question any unexpected calls asking for access or credentials.
Enable alerts for unusual access patterns — like logins from unknown locations or devices.
Not every user needs access to every record. Enforce least privilege policies to reduce exposure.
Review who is accessing what data and why. Pay attention to large exports or downloads.
Google’s case proves that even the biggest companies are vulnerable to well-executed social engineering campaigns. ShinyHunters are exploiting something as simple as a phone call to infiltrate highly sensitive systems like Salesforce.
If it can happen to Google, Adidas, or Cisco — it can happen to anyone.
We’re here to help you:
Don’t wait for attackers to test your defenses. Now is the time to assess, reinforce, and protect.