Salesforce breach let hackers steal Google customer data

In June, one of Google’s corporate Salesforce instances was affected by activity consistent with the UNC6040 campaign described in the post. Google responded by conducting an impact analysis and implementing mitigation steps. The affected instance stored contact information and related notes for small and medium-sized businesses. Investigators confirmed that data was accessed during a short window before the connection was severed. The retrieved data was limited to basic, largely public business information such as names and contact details.

Salesforce breach let hackers steal Google customer data

The Google Threat Intelligence Group (GTIG) tracks extortion campaigns following UNC6040 intrusions under the designation UNC6240, which typically unfold months after the initial data breach. The attackers contact employees of the affected organization via phone or email, demanding bitcoin payments within 72 hours. Throughout these engagements, UNC6240 has repeatedly claimed to be the group ShinyHunters.

GTIG believes that actors using the ShinyHunters moniker may be planning to escalate their tactics by launching a data leak site (DLS). This move is likely intended to heighten pressure on victims, particularly those impacted by recent Salesforce-related breaches tied to UNC6040. GTIG continues to monitor these actors and will issue updates as needed.

Sender addresses associated with UNC6240 extortion emails include:

• shinycorp@tuta[.]com
• shinygroup@tuta[.]com
   

GTIG has documented an evolution in UNC6040’s tactics, techniques, and procedures (TTPs). Initially dependent on Salesforce's Data Loader application, the group has since transitioned to custom Python-based applications that perform similar data-exfiltration functions. The updated attack chain typically begins with a voice phishing call, often conducted through Mullvad VPN or TOR IP addresses. After engaging the victim, the group automates data collection via TOR, further complicating attribution efforts.

Recent intrusions show that UNC6040 has moved from creating Salesforce trial accounts using webmail to using compromised accounts from unrelated organizations to register their malicious apps. GTIG has released a collection of Indicators of Compromise (IOCs) related to this campaign.

GTIG has been tracking UNC6040, a financially motivated threat cluster specializing in voice phishing (vishing) campaigns targeting Salesforce instances for data theft and extortion. Over the past several months, UNC6040 operators have consistently impersonated IT support staff during social engineering phone calls to deceive employees, particularly in English-speaking branches of multinational companies. These interactions often led to the unintentional sharing of credentials or granting of unauthorized access. Notably, these incidents involved no known Salesforce software vulnerabilities.

A common tactic involved tricking victims into authorizing a malicious connected app via Salesforce’s setup page. These apps, often disguised as modified versions of the legitimate Salesforce Data Loader, allowed attackers to query and exfiltrate data from customer environments. Salesforce has issued guidance on defending against such threats.

In some cases, extortion did not begin until months later, suggesting that UNC6040 may be selling or sharing stolen data with other actors who then carry out extortion efforts. During these campaigns, the actor frequently invoked the ShinyHunters name to pressure victims.

GTIG has classified much of the identified activity under UNC6040. This group uses voice phishing to gain access and then immediately exfiltrates data using Salesforce's Data Loader. Later, the same credentials are used to move laterally into other cloud services, including Okta and Microsoft 365.

UNC6040 infrastructure included Salesforce access points as well as an Okta phishing panel. Victims were tricked into visiting these phishing pages during the social engineering calls, and were asked to provide login credentials and MFA codes. These were used to install the malicious Data Loader, enabling data theft.

The group also heavily relied on Mullvad VPN IPs for data exfiltration and system access. GTIG observed overlaps between UNC6040 infrastructure and techniques and those previously linked to groups affiliated with the "The Com" collective. This includes targeting Okta credentials, IT support impersonation, and focusing on English-speaking users. GTIG noted that these overlaps likely stem from shared actor communities, not necessarily direct coordination.

Data Loader is a Salesforce tool for bulk importing, exporting, and updating data. It includes a user interface and command-line support, with OAuth authentication and app-level integration. Threat actors exploit this by guiding victims to open the connected app setup and enter a "connection code", linking the attacker's modified app to the environment.

Some incidents involved customized versions of Data Loader. The sophistication varied—some used small chunk sizes, retrieving just 10% of data before detection, while others tested with small queries before scaling up to full table extraction.

In certain cases, the application was renamed to “My Ticket Portal”, matching the pretext of IT support used during vishing calls.

Voice phishing, while not new, remains highly effective. UNC6040’s campaign is notable for its targeted focus on Salesforce data, and its exploitation of support personnel as an access vector. The group’s evolving TTPs underscore the continuing threat posed by human-targeted social engineering, not just technical exploits.

With delays between breach and extortion, many organizations could face future extortion demands, including downstream partners.

GTIG emphasizes a shared responsibility model in cloud security. Salesforce offers strong native controls, but organizations must ensure correct configuration, limited access, and training. GTIG recommends the following:

1. Principle of Least Privilege

• Restrict API Enabled permission only to users who need it.
• Review Data Loader access and limit mass export capability.
• Regularly audit permissions and profiles.
   

2. Manage Connected Apps

• Control which users and roles can approve connected apps.
• Restrict powerful permissions like "Customize Application" and "Manage Connected Apps".
• Develop an app review and allowlist process.
   

3. Enforce IP Restrictions

• Define login IP ranges for user profiles and connected apps.
• Block access from unexpected or non-enterprise IPs, including VPNs.
   

4. Use Salesforce Shield

• Deploy Transaction Security Policies to detect large downloads.
• Enable Event Monitoring to track user and API behavior.
• Ingest logs into SIEM or internal detection systems.
   

5. Enforce and Educate on MFA

• Require multi-factor authentication for all users.
• Train users to recognize MFA fatigue and manipulative tactics.
   

By following these practices, organizations can better defend against threats like UNC6040 and the broader trend of vishing-facilitated cloud breaches. Ongoing review of Salesforce’s Security Guide is also recommended for additional protections.