Google has detected that a group of hackers, posing as the well-known extortionists ShinyHunters, is launching social engineering attacks against large multinational companies to steal data directly from their Salesforce accounts.
According to Google's Threat Intelligence Group (GTIG), which closely tracks this group under the name UNC6040, the attacks mainly target English-speaking employees. How do they do it? Through phishing phone calls (also known as vishing), in which they try to convince the victim to install a tampered version of the Salesforce Data Loader app.
In these calls, the attackers impersonate internal tech support staff. Using a convincing tone, they ask the employee to connect to the Salesforce Data Loader, a legitimate tool normally used to import, export, update, or delete data within the Salesforce environment.
The trick? The manipulated app they get the victim to install is under the hackers’ control. As the researchers explain, this application uses OAuth, a protocol that allows integration with other applications through what are called "connected apps" within Salesforce.
The attackers exploit this by guiding the victim, over the phone, to the Salesforce connection settings page. Then, they ask the victim to enter a “connection code.” With that, they manage to link their modified version of the Data Loader to the employee’s actual Salesforce environment… and that’s it: full access.
Request to Enter Connection Code (Source: Google)
How Attackers Exploit Salesforce to Infiltrate Other Enterprise Platforms
The companies targeted by these attacks were already using Salesforce as their CRM (Customer Relationship Management) platform, so when someone from “tech support” asks them to install a tool like Data Loader, it doesn’t seem suspicious. In fact, it fits perfectly into their daily workflow. And that’s the issue—it appears completely legitimate.
In these cases, the UNC6040 group uses the tampered app to extract data stored in the company’s Salesforce account. But they don’t stop there. Once inside, they leverage that initial access to move laterally and infiltrate other connected platforms like Okta, Microsoft 365, or Workplace.
Why do they do this? Because those other platforms also hold a wealth of sensitive information: internal emails, important documents, access tokens, shared files… essentially everything needed to inflict more damage or to strengthen their extortion attempts.
Google’s report sums it up like this: “UNC6040 is a financially motivated group that infiltrates victims’ networks through socially engineered phishing calls.”
And once they gain access, they don’t waste time. They immediately use the Data Loader tool to steal data directly from Salesforce. Then, they leap to other parts of the network like a domino effect, extracting even more information from platforms such as Okta, Workplace, and Microsoft 365.
Overview of the UNC6040 Attack
Hackers Are Not Only Clever—They're Patient (and Even Experimental)
In some cases, the attempts to steal data didn’t get very far. Why? Because the security systems did their job correctly, detecting unusual activity and revoking access before major damage could occur. But the attackers didn’t simply give up—they anticipated this and began experimenting with different data packet sizes, likely to test how much they could exfiltrate without triggering alarms.
Moreover, the UNC6040 group didn’t just use any version of the Salesforce Data Loader. They went as far as renaming the application to make it seem completely harmless. One example? They called it “My Ticket Portal,” which would sound entirely legitimate if mentioned during a “tech support” call. This tactic successfully convinced multiple victims to install the tampered app.
According to Google’s report, while exfiltrating data from Salesforce, the hackers used Mullvad VPNs—a private network that helped them mask their true location and obscure malicious activity.
And it doesn’t stop there: they also created phishing pages that mimicked Okta’s login portal, linking them to actors who employ techniques associated with groups like “The Com” or Scattered Spider. If this all sounds complex, that’s because it is. These attackers are organized, methodical, and—above all—dangerous.
Read more: Scam Designs: How Hackers Use UX/UI to Trick You
Who’s Behind It All? The ShinyHunters—Or So They Claim...
The attackers observed by Google claim to be part of the notorious hacker group ShinyHunters, known for stealing data and demanding multimillion-dollar ransoms to prevent public leaks.
Although the initial activity was carried out by UNC6040, what’s intriguing is that in several cases, the extortion didn’t come until months after the original attack. This suggests that another actor may be involved—someone responsible specifically for monetizing the stolen data.
When the threat to publish the data finally arrives, the hackers claim affiliation with ShinyHunters, likely to instill greater fear and pressure companies into paying. It’s not a new strategy, but it’s effective: ShinyHunters has been linked to high-profile data breaches, including the Snowflake case and the PowerSchool hack, which affected over 62 million students.
Key Recommendations If You Use Salesforce
Google didn’t stop at issuing a warning—it also shared some highly practical security measures for companies that use Salesforce:
-
Restrict “API Enabled” Permissions: Limit this permission to prevent unauthorized applications from connecting to Salesforce.
-
Control App Installations: Limit who can install new apps within the Salesforce environment to prevent malicious tool deployment.
-
Block Access from Commercial VPNs Like Mullvad: These networks can be used to mask malicious access and should be restricted.
Implementing these measures can significantly reduce the risk of falling victim to attacks like those carried out by UNC6040 and others impersonating ShinyHunters.
