Google Confirms Salesforce CRM Breach, Faces Extortion Threat
Google has confirmed a breach in one of its Salesforce Customer Relationship Management (CRM) instances, exposing data of some prospective Google Ads customers. The incident was reported by Databreaches.net, which revealed that the attackers had sent an extortion demand to the tech giant.
The Breach: What Happened?
According to Google's Threat Intelligence Group, one of its Salesforce database systems was breached by the threat actor ShinyHunters (also known as UNC6040). The instance in question was used to store contact information and related notes for small and medium-sized businesses.
Analysis revealed that data was retrieved by the threat actor during a small window of time before access was cut off. However, the stolen data consisted only of basic and largely publicly available business information, such as business names and contact details.
The Impact
Financial data was not impacted in this incident, and it did not affect Ads data in Google Ads Account, Merchant Center, Google Analytics, or other Ads products. The tech giant has already notified the affected individuals, who can expect to receive more information about the breach.
The Extortion Demand
ShinyHunters claimed that the Google breach involved around 2.55M records and demanded $2.3 million in Bitcoin from the company as ransom. However, they later claimed it was a prank. The threat actor is now using a custom tool to more quickly exfiltrate data from compromised Salesforce systems.
The Threat Actor: Who Are They?
ShinyHunters is described as a financially motivated group that uses voice phishing to target Salesforce systems for large-scale data theft and extortion. They pose as IT support, calling employees in English-speaking branches of global firms to trick them into granting access or sharing credentials.
The Tactic: Social Engineering
A common tactic used by ShinyHunters is getting victims to approve a fake Salesforce Data Loader app, giving the attackers the ability to steal sensitive data. In some cases, months may pass before extortion begins, sometimes under the name ShinyHunters to boost intimidation.
The Investigation Continues
Google's Threat Intelligence Group is tracking UNC6040 (ShinyHunters) and is working to mitigate the impact of this breach. The group is also aware of a similar incident that occurred in June, where Google responded to activity and performed an impact analysis.
The Takeaway
This incident serves as a reminder of the importance of data protection and cybersecurity measures. As organizations continue to rely on cloud-based services like Salesforce, it's crucial for them to stay vigilant and take proactive steps to prevent breaches like this one.