Google recently confirmed that its Salesforce environment was compromised in an ongoing cyberattack campaign led by ShinyHunters. The hackers gained unauthorized access to internal records, including contact details and support case notes for small and medium-sized businesses. Google clarified that no sensitive data such as passwords or payment information was exposed.
Instead of exploiting a system vulnerability, the attackers relied on social engineering. They used voice phishing (vishing) to trick employees into downloading a malicious version of Salesforce’s legitimate Data Loader application. This tactic gave them direct access to Google’s CRM environment.
Once inside, the attackers extracted business data and, in some cases, pivoted laterally into other cloud services. These included platforms such as Microsoft 365, Okta, and other identity services. Google noted that residential proxies helped the attackers remain undetected by blending in with regular traffic.
A Wider Pattern Targeting Major Brands
The Google breach is part of a larger attack series attributed to the group UNC6040. This campaign has already hit multiple global brands, including Chanel, Qantas, Louis Vuitton, Adidas, and Allianz Life. Each case involved abuse of third-party Salesforce instances managed through external vendors.
The threat actors exploited OAuth app permissions and impersonated internal IT support teams to gain trust. By doing so, they were able to bypass authentication barriers without triggering alerts.
Salesforce has confirmed that its core platform remains uncompromised. The breach occurred solely due to stolen credentials and misused connected applications. Salesforce now urges all clients to review their app integrations, enforce multi-factor authentication (MFA), and limit user privileges according to need.
Google’s Threat Intelligence Group continues to monitor the situation. The company has shared indicators of compromise (IOCs) and attack vectors with the broader cybersecurity community.
Takeaways for Cloud Security and Business Risk
This incident highlights a growing risk in cloud environments: trusted tools and user behavior can become weak points if not properly monitored. Companies that rely on SaaS platforms like Salesforce must not only protect their internal systems but also evaluate third-party access policies and vendor security standards.
Organizations should ensure employee training includes vishing scenarios. It’s also critical to apply the principle of least privilege and to disable unnecessary app integrations. Frequent audits of cloud-connected tools and real-time monitoring of login behavior can help prevent similar breaches.
At Eye World, we recommend combining human vigilance with automated security layers to safeguard sensitive business data. As attacks grow more sophisticated, proactive detection becomes just as important as reactive defense.
