Google confirms ShinyHunters breach, business contact data taken from Salesforce system

Google has confirmed a security breach in June that exposed data from a corporate Salesforce database used to manage business contacts. The attack is linked to the ShinyHunters group, also tracked as UNC6040. Google says the incident did not touch core systems or consumer accounts, but it did involve names and business contact details that could fuel follow on phishing attempts.

Investigators say the attackers relied on voice phishing, also called vishing. Posing as internal IT staff, they convinced an employee to install or approve a tampered version of Salesforce Data Loader, which granted access to the CRM instance. Google had been tracking the broader campaign before confirming it was also affected.

Access was cut once the intrusion was detected. Google has not disclosed how many records were taken and has not reported any ransom demands. The company reiterated that the stolen information consisted largely of basic business details, not payment data or personal consumer information.

The breach is part of a wider wave of Salesforce focused data thefts attributed to ShinyHunters, which has targeted multiple global brands this year. Security analysts warn that the group blends simple social engineering with disciplined operations, and that copycat campaigns are likely.

What businesses should do now

• Enforce phishing resistant multi factor authentication for CRM access.

• Lock down OAuth and third party app approvals, and restrict use of Data Loader to managed devices.

• Monitor for unusual Salesforce exports and API activity, and apply least privilege to user roles.

• Train staff to verify IT requests through known channels, never through inbound calls.

Google says it will continue to harden controls and coordinate with partners as the investigation progresses.

Photo Credit: DepositPhotos.com