Google confirmed that hackers breached one of its corporate Salesforce systems in June through a cyberattack similar to one it had previously reported. The attackers briefly accessed the system before Google blocked them and stole basic business contact details for small and medium-sized companies. Google stressed that the stolen data was mostly public information, such as company names and contact numbers.
Google’s Threat Intelligence Group (GTIG) tracks the hacking group behind this incident as UNC6040. This group uses voice phishing—calling employees while pretending to be IT staff—to trick them into giving access to Salesforce accounts. Once inside, they use specially made tools to download large amounts of data.
In some cases, another group that GTIG calls UNC6240 uses the stolen data for extortion. This group often claims to be part of the notorious hacker brand “ShinyHunters” and sends threatening emails or makes calls demanding payment in Bitcoin within 72 hours, warning that they will leak the stolen data if victims don’t pay. GTIG believes ShinyHunters may soon launch a dedicated site to publish stolen information, increasing pressure on victims.
UNC6040’s tactics have evolved over time. Initially, they used Salesforce’s “Data Loader” app to extract data, but they now use custom-built programs for the same purpose. They also disguise their malicious apps with names like “My Ticket Portal” to make them look legitimate during phishing calls. The attackers frequently hide their location by using VPN services or the TOR network, making it harder to track them.
How the Attack Works
- The hackers call an employee, pretending to be IT staff.
- They convince the person to approve a fake connected app in Salesforce.
- The fake app, often a modified Data Loader, gives them permission to download sensitive data.
- They sometimes also steal login details for other company systems like Microsoft 365 or Okta.
Google’s Warning & Advice
Google warns that such attacks may continue for months before the stolen data is used for extortion. Businesses using Salesforce should take the following steps:
- Limit permissions for tools like Data Loader to only essential staff.
- Strictly control connected apps and only allow trusted ones.
- Restrict logins by IP address to block access from unknown networks.
- Use Salesforce Shield for advanced monitoring and alerts.
- Enable multi-factor authentication (MFA) for all users and train employees to spot phishing attempts.
Google says these measures can greatly reduce the risk of falling victim to such attacks and urges companies to stay alert to suspicious calls and app authorization requests.
Also read: Election Commission Suspends Five in West Bengal Over Voter Data Breach