Google has confirmed that a corporate Salesforce database it used to manage small and medium business (SMB) contacts was compromised by a known cybercriminal group. The attackers, identified as ShinyHunters, tracked internally by Google as UNC6040, gained unauthorized access to the database in June 2025.
In a blog post released Tuesday by Google’s Threat Intelligence Group (GTIG), the company stated that attackers were able to retrieve “basic and largely publicly available business information, such as business names and contact details,” before the breach was contained. The data was stored within one of Google’s internal Salesforce instances used for managing SMB engagement.
Attack Method: Voice Phishing and Data Loader Abuse
The breach did not stem from a technical vulnerability in the Salesforce platform but was enabled by voice phishing (vishing) tactics. The attackers impersonated IT personnel and called employees, persuading them to authorize a malicious connected application in their organization’s Salesforce environment.
The malicious app, often a modified version of Salesforce’s official Data Loader tool, allowed the attackers to exfiltrate data. In several cases, the attackers disguised the application under misleading names like “My Ticket Portal” to align with the vishing pretext.
Once access was granted, the attackers used custom Python scripts, replacing earlier reliance on the official Data Loader, to automate the data collection process. These scripts mimicked legitimate Salesforce data tools and operated through TOR or VPN services such as Mullvad, making attribution more difficult.
UNC6040 and the Emergence of UNC6240
GTIG identified the actors behind this campaign as UNC6040, a financially motivated group focused on compromising Salesforce environments through social engineering. After the initial data theft, another threat cluster, UNC6240, has been observed initiating extortion attempts targeting affected organizations. These extortion efforts typically begin weeks or months after the original breach.
Emails and calls from UNC6240 demand Bitcoin payments within 72 hours and threaten public disclosure of stolen data. These messages often claim affiliation with ShinyHunters, a name already linked to multiple high-profile data breaches over the past few years.
GTIG listed known extortion email addresses used by the group:
- shinycorp@tuta[.]com
- shinygroup@tuta[.]com
Additionally, evidence suggests the attackers are preparing a data leak site (DLS) to publish stolen information, a tactic commonly used by ransomware groups to pressure victims into paying.
Infrastructure and Tactics
The attackers used infrastructure that included phishing panels designed to mimic Okta login pages, which were used during the vishing calls. These panels targeted users’ credentials and multi-factor authentication (MFA) codes in real time.
There was also evidence of the attackers using compromised third-party accounts, not trial Salesforce accounts, to register their malicious applications, indicating an evolution in tactics and a higher level of operational security.
GTIG noted that the group appears to prioritize English-speaking employees at multinational companies and often targets IT staff, leveraging their elevated access levels.
In some cases, only partial data was extracted before detection. One actor retrieved only about 10% of the targeted records using small data chunks, while in other incidents, the attackers increased extraction volumes after conducting test queries.
Conclusion
This breach highlights a growing trend of attacks on cloud-based Salesforce systems, with threat groups such as ShinyHunters employing voice-based social engineering and delayed extortion tactics. GTIG has observed links between these actors and broader collectives like The Com, known for phishing and hacking.
The abuse of Salesforce integrations, particularly connected apps and OAuth tokens, demonstrates that technical defenses are insufficient without user vigilance. Organizations should tighten access controls, enhance MFA, and train staff to resist social engineering, while preparing for long-term risks even after initial breaches appear limited.
