How Google, Adidas, and More Were Breached in a Salesforce Scam

A sophisticated hacking campaign has left multiple high-profile companies, including tech giant Google, luxury brands like Adidas and Louis Vuitton, and jeweler Pandora, vulnerable to cyber attacks. The attackers, known as the "ShinyHunters" group, employed a simple yet effective tactic: making phone calls disguised as IT support personnel.

The hackers tricked employees into handing over access to their Salesforce platforms, allowing them to extract sensitive data, including business information, contact details, and more. This attack method highlights the vulnerability that all businesses face, regardless of size or industry.

The Attack Method

Security researchers at Google Threat Intelligence Group (GITG) first uncovered the hacking campaign in June. However, it wasn't until recently that they realized their own company had been hit by the same tactic. Other victims include Allianz Life, Qantas Airways, and Pandora Jewelry.

The attackers exploited a Salesforce feature that allows users to connect external apps, such as mapping tools or newsletter platforms. By tricking employees into connecting to a fraudulent version of Salesforce's "Data Loader" app, hackers could access large quantities of data stored or managed within the platform.

The Attack Process

Once ensnared in the phone scam, employees were prompted to enter an 8-digit code when connected to the external app. However, this code was actually a key to unlock a data exfiltration program owned and operated by the hackers. Once inside, they could roam free within the company's Salesforce data, stealing whatever they saw fit.

In some cases, the attackers expanded their reach into other corporate online accounts, including Microsoft 365, revealing sensitive messages and emails.

The Consequences

At Google, the hackers accessed a Salesforce instance used to store contact information and related notes for small and medium businesses. Although the data retrieved was basic and publicly available, it still poses a significant risk to the company's reputation and customer trust.

According to Bleeping Computer, the ShinyHunters cybercrime group is still stealing business data through this attack campaign. Once they have the data, they extort victims into paying a hefty ransom or risk having the data exposed online.

How to Stay Safe from the Salesforce Scam

This attack highlights the importance of recognizing social engineering scams and using always-on cybersecurity measures to protect your business. Here are some actionable tips:

  • Stay vigilant: Be aware of phone calls or messages that ask for sensitive information or access to your platform.
  • Verify authenticity: Always verify the identity of the person on the other end of the call or message.
  • Use strong passwords: Use complex and unique passwords for all accounts, including Salesforce.
  • Maintain up-to-date software: Ensure that your Salesforce platform and other apps are updated with the latest security patches.
  • Implement multi-factor authentication: Add an extra layer of security to prevent unauthorized access.

By taking these precautions, you can help protect your business from this type of attack and safeguard sensitive data. Remember, cybersecurity is an ongoing effort – stay informed, stay vigilant, and always be prepared for the unexpected.