Hackers Breach Google’s Salesforce Database, Exfiltrating Client Data
Google has officially confirmed that hackers gained unauthorized access to one of its corporate Salesforce databases and exfiltrated data related to small and medium-sized business clients. The disclosure appears in an updated June bulletin from Google Threat Intelligence, which states that the compromised system stored contact information and work notes associated with these clients. The breach occurred in June, and according to analysts, the attackers were able to extract the data in a short window before access was cut off.
Google attributes the attack to UNC6040, a group linked to the better-known ransomware brand ShinyHunters. This collective has recently been implicated in a series of targeted campaigns against Salesforce customers, including high-profile incidents affecting Dior, Chanel, Pandora, and, reportedly, Allianz. The report notes that the initial intrusion was likely achieved through vishing or other forms of social engineering aimed at obtaining CRM access via employees.
Notably, Cisco was also caught in the same wave of attacks. The company confirmed that one of its employees fell victim to a voice phishing scheme, granting attackers access to a cloud-based customer relationship management system. While Cisco did not confirm whether the system in question was Salesforce, the compromised database contained only a limited set of information—primarily basic profile details of users registered on Cisco.com. According to the company, no passwords or sensitive data were affected.
Google emphasized that the stolen information primarily consisted of publicly available business data, including company names and contact details. The company declined to comment on whether any extortion or ransom attempts had been made.
However, Google’s analysts cautioned that ShinyHunters may shift to a more aggressive pressure strategy. The group is reportedly preparing to launch its own leak site to publish stolen data, thereby amplifying both the psychological and reputational damage inflicted on victims.
ShinyHunters has long been associated with major corporate data theft incidents, including last year’s breach of Snowflake’s infrastructure, in which dozens of clients were compromised. According to Google, the group’s current activity indicates a growing operational scale and increasingly sophisticated social engineering methods targeting the corporate sector.
The Google Threat Intelligence team has pledged to continue monitoring UNC6040’s activity and to provide timely updates as the situation evolves.