Google Suffers Data Breach in Ongoing Salesforce Data Theft Attacks

Google has become the latest company to fall victim to a wave of Salesforce CRM data theft attacks conducted by the notorious ShinyHunters extortion group. In June, Google warned that a threat actor they classify as 'UNC6040' was targeting companies' employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data.

The attack, which has been ongoing for several months, involves the ShinyHunters group using social engineering tactics to trick employees into divulging sensitive information, which is then used to extort companies into paying a ransom to prevent the data from being leaked. The victims are threatened that their stolen data will be publicly leaked unless they comply with the extortion demands.

Google's Data Breach Update

In a brief update to its earlier statement, Google confirmed that one of its corporate Salesforce instances was breached and customer data was stolen in June. According to Google, the instance used to store contact information and related notes for small and medium businesses was impacted by the same UNC6040 activity described in the initial post.

Google responded to the activity by performing an impact analysis and beginning mitigations. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off. The stolen data consisted of basic, largely publicly available business information, such as business names and contact details.

The Masterminds Behind the Attacks

While Google initially classified the threat actors behind these attacks as 'UNC6040' or 'UNC6240', BleepingComputer has learned that a notorious threat actor known as ShinyHunters is behind the attacks. ShinyHunters has been responsible for a wide range of breaches, including those at PowerSchool, Oracle Cloud, Snowflake data thefts, AT&T, NitroPDF, Wattpad, MathWay, and many more.

In a conversation with BleepingComputer yesterday, ShinyHunters claimed to have breached many Salesforce instances, with attacks still ongoing. The threat actor boasted of breaching a trillion-dollar company and considering just leaking the data rather than attempting to extort them. It is unclear if this company is Google.

The Extortion Demands

The ShinyHunters group is using email to extort companies, demanding they pay a ransom to prevent the data from being publicly leaked. Once the threat actor has finished privately extorting companies, they plan to publicly leak or sell the stolen data on a hacking forum.

One company that has already paid $400,000 in Bitcoin to prevent the leak of its data was revealed by BleepingComputer. Other companies impacted in these attacks include Adidas, Qantas, Allianz Life, Cisco, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.

As the wave of Salesforce data theft attacks continues, it is essential for companies to take proactive measures to protect their systems and prevent further breaches. Staying vigilant and implementing robust security protocols can help minimize the risk of falling victim to these types of attacks.