Google’s Salesforce Environment Compromised – User Information Exfiltrated

Google has confirmed that one of its corporate Salesforce instances was breached in June by sophisticated threat actors, resulting in the theft of contact information for small and medium businesses.

The incident highlights the growing threat of voice phishing attacks targeting enterprise cloud environments and demonstrates how social engineering tactics continue to evolve in sophistication and effectiveness.

The Breach Details

According to Google’s Threat Intelligence Group (GTIG), the attack was carried out by UNC6040, a financially motivated threat cluster specializing in voice phishing campaigns designed to compromise Salesforce instances for large-scale data theft.

The compromised instance contained contact information and related notes for small and medium businesses that work with Google.

Google’s security team responded rapidly to the incident, conducting a comprehensive impact analysis and implementing immediate mitigation measures.

The company’s investigation revealed that threat actors successfully retrieved data during a limited window before access was terminated. 

The exfiltrated information was confined to basic business details, including company names and contact information that is largely publicly available.

UNC6040 employs particularly convincing telephone-based social engineering techniques, with operators impersonating IT support personnel to manipulate victims.

The threat actors typically target employees within English-speaking branches of multinational corporations, tricking them into actions that grant unauthorized access to Salesforce environments.

A key component of their methodology involves deceiving victims into authorizing malicious connected applications to their organization’s Salesforce portal.

During vishing calls, attackers guide targets to Salesforce’s connected app setup page to approve modified versions of the legitimate Data Loader application, inadvertently granting extensive data access capabilities.

GTIG has observed significant evolution in UNC6040’s tactics, techniques, and procedures. While the group initially relied on standard Salesforce Dataloader applications, they have shifted toward using custom Python scripts that perform similar functions.

The updated attack chain now involves voice calls to enroll victims while using Mullvad VPN or TOR networks, with subsequent data collection automated through TOR IPs to complicate attribution efforts.

The breach connects to broader extortion campaigns tracked as UNC6240, which follow UNC6040 intrusions sometimes months after initial data theft.

These extortion attempts involve calls or emails demanding bitcoin payments within 72 hours, with perpetrators claiming affiliation with the notorious ShinyHunters hacking group.

Google’s security researchers believe threat actors using the ShinyHunters brand may be preparing to escalate tactics by launching a data leak site, likely intended to increase pressure on victims of recent Salesforce-related breaches.

This incident underscores the continuing effectiveness of voice phishing as an attack vector and highlights how threat actors increasingly target IT support personnel as primary access points for valuable enterprise data, demonstrating the critical need for enhanced security awareness training and verification protocols.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free