introduction
In June 2025, Google’s internal Salesforce instance, used for managing small and medium-sized business (SMB) client data, was breached in a sophisticated cyberattack orchestrated by the UNC6040 threat group, associated with the notorious ShinyHunters collective. The incident combined advanced voice phishing (vishing), OAuth application abuse, and anonymization methods, resulting in the exposure of SMB contact data and triggering widespread scrutiny of SaaS risk management and social engineering threats.
Timeline and Incident Overview
- Early June 2025: Google identified unauthorized access to its Salesforce CRM system, with attackers exfiltrating client contact information.
- Attack Duration: The extortion phase—including demands for Bitcoin—occurred within hours of initial compromise, while data exfiltration activities leveraged anonymization and encrypted channels.
- Parallel Campaigns: Around the same time, a related breach (UNC6395) targeted Salesforce integrations, notably Salesloft Drift, affecting a wider enterprise ecosystem.
attack methodology and technical breakdown
- Voice Phishing (Vishing): UNC6040 impersonated Google IT support via convincing phone calls, persuading employees to grant malicious access to their Salesforce account.
- OAuth App Abuse: Attackers deployed a fraudulent “Connected App” mimicking Salesforce’s Data Loader, gaining broad query and export permissions without raising immediate alarms. Custom Python scripts automated large-scale exports.
- Anonymization: Calls were routed through privacy-centric services (e.g., Mullvad VPN), and exfiltration relied on the TOR network to mask the attackers’ location.
- Data Stolen: No Google user passwords or financial data were leaked. Exposed information was limited to business names, emails, phone numbers, and associated sales notes for SMB clients.
- Rapid Extortion Tactics: Attackers issued Bitcoin ransom demands with short deadlines, threatening public data leaks or dark web publication.
affected systems, organizations, and scope
- Primary: Google’s Salesforce instance holding SMB contact details.
- Additional Victims: Ongoing campaigns linked to ShinyHunters/UNC6040 impacted major brands including Adidas, Qantas, Allianz Life, LVMH, Chanel, AT&T, Santander, Starbucks Singapore, Cisco, Pandora, and others, primarily via similar Salesforce-targeted strategies.
- Broader Impact: Parallel attacks targeted hundreds of other Salesforce customers and connected applications (notably via the Salesloft Drift plugin), increasing the incident’s significance across the SaaS supply chain.
mitigation and prevention strategies
- Staff Awareness and Training: Training employees to recognize vishing and suspicious IT requests remains critical, as attackers focus on exploiting human behavior over technical vulnerabilities.
- Stricter Control of Connected Apps: Implementing least privilege access, rigorous app approval processes, elimination of unnecessary third-party integrations, and real-time monitoring for atypical app behavior are recommended controls.
- Multi-Factor Authentication (MFA): MFA for all administrative accounts and sensitive access points is advised to limit credential-based attacks.
- Incident Response Coordination: Immediate revocation of OAuth tokens, audit of Salesforce access logs, and engagement with law enforcement (such as the FBI) for coordinated response and threat intelligence sharing
- Vendor Guidance: Salesforce and Google have released detailed guidance for restricting connected apps, monitoring user permissions, and auditing user activity to prevent reoccurrence.
background information
ShinyHunters/UNC6040
This threat group is historically known for high-profile data leaks and extortion schemes via dark web platforms. The “vishing-plus-OAuth abuse” campaign represents an evolution from traditional credential phishing to direct exploitation of SaaS ecosystem trust relationships.
Rise in SaaS Social Engineering
The incident underscores an industry-wide shift where attackers increasingly target trusted cloud services—not by exploiting software flaws, but via intricate social engineering, emphasizing the need for user vigilance and SaaS-specific security protocols.
tables and data
Table 1: Summary of Attack Indicators and Strategies
|
Indicator/Technique
|
Details
|
Tools/Methods
|
Purpose
|
|
Initial Access Vector
|
Vishing / IT impersonation calls
|
Phone, social engineering
|
Obtain app approval, credentials
|
|
Lateral Movement
|
OAuth connected app abuse
|
Custom Python scripts
|
Bulk data export
|
|
Data Exfiltration
|
TOR network, encrypted transfers
|
Automated tools
|
Hide attacker’s location
|
|
Extortion
|
Bitcoin ransom, threats of dark web leaks
|
Email, phone
|
Monetize access
|
Table 2: Major Victims and Affected Entities
|
Organization
|
Type of Data Compromised
|
Group Involved
|
Noted Impacts
|
|
Google (Salesforce)
|
SMB client contacts, notes
|
UNC6040/ShinyHunters
|
Brand risk, compliance alert
|
|
Adidas, Qantas, etc.
|
Varies (contact, sales info)
|
UNC6040
|
Potential phishing targets
|
|
Salesforce Customers
|
User, account, OAuth token data
|
UNC6395
|
Broad access to customer info
|
SUPPORTING DOCUMENTATION