DigitalXRAID

Threat Intelligence: Google Confirms Salesforce Data Breach by ShinyHunters 

Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts: 

Google has confirmed a major Salesforce data breach affecting one of its corporate CRM instances. The cyberattack, carried out by the criminal group ShinyHunters (tracked as UNC6040), exposed customer contact information and internal notes for small and medium-sized business accounts. 

The compromise was achieved by deploying a targeted vishing attack (voice phishing), a form of social engineering where attackers impersonated IT support to manipulate employees into granting system access.  

In this case, ShinyHunters convinced victims to install a maliciously modified version of Salesforce’s Data Loader application. Once authorised, this connected fraudulent app allowed the attackers to extract sensitive customer records. 

Google reports that the stolen data consisted mainly of business names, email addresses, phone numbers, and related account notes. While the company stated this was “largely publicly available” information, security researchers believe around 2.55 million records were taken. 

The incident was quickly contained. Google terminated the unauthorised access, carried out a full impact assessment, implemented new security controls, and began notifying affected customers. Email notifications were completed by 8 August 2025.  

Important notice: Payment data, Google Ads accounts, Merchant Center, and Analytics services were not affected. 

Who are ShinyHunters? 

ShinyHunters is a well known cybercriminal group that first emerged around 2020. The group is suspected to operate from regions in Asia and Eastern Europe and is notorious for large scale data theft campaigns targeting global enterprises. 

The attack methods we’ve seen typically combine social engineering, credential theft, and exploitation of cloud application integrations. ShinyHunters has been linked to other high profile breaches at well known companies such as Cisco, Qantas, LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Adidas, and Allianz Life, showing the scale of attacks the group can deploy.  

The group often uses a delayed extortion model. After stealing data, they may wait weeks or months before contacting the victim with ransom demands. These demands can exceed $2 million in Bitcoin and are often accompanied by threats to leak the data on the dark web, if a ransom payment is not made within a short timeframe. 

While ShinyHunters has occasionally claimed ransom demands are made “for the lulz”, their history shows a consistent pattern of selling stolen data through underground forums and collaborating with other threat groups. 

Why this breach matters 

This incident highlights that Salesforce security risks are not always about technical vulnerabilities, they can stem from human error and trust exploitation. Even organisations with advanced cyber security defences can be compromised if employees are socially engineered into authorising malicious access. 

For businesses using Salesforce, Microsoft 365, or other Software-as-a-Service (SaaS) platforms, this attack reinforces the need for strict identity management, app authorisation controls, and continuous monitoring of cloud environments. Threat actors like ShinyHunters can leverage legitimate APIs and connected apps to bypass traditional security tools. 

How to protect against ShinyHunters style vishing attacks 

To reduce your risk of a similar Salesforce data breach, DigitalXRAID’s SOC analysts recommend: 

  • Enforcing Multi-Factor Authentication (MFA) for all CRM and SaaS logins, with phishing-resistant methods such as hardware keys where possible. 
  • Restricting third-party connected app installations through application whitelisting and central approval processes. 
  • Running regular security awareness training, including simulated vishing exercises, so staff can recognise and report suspicious calls. 
  • Monitoring Salesforce and other SaaS audit logs for unusual connected app approval requests, API usage spikes, or mass data exports. 
  • Applying least privilege access to limit data export permissions to essential staff only. 
  • Having a documented incident response plan that includes procedures for revoking malicious app permissions and isolating compromised accounts. 

If you need any further guidance on this, please contact DigitalXRAID’s Security Operations Centre analysts. We’re here to support you. 

If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak with one of our experts. They’re available 24 hours a day, 7 days a week.  

Bookmark this page in case you ever need us. 

Previous Article

What Is EDR?

Next Article

EDR vs MDR

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.