Google confirmed a data breach involving its Salesforce system after a voice phishing attack enabled unauthorized access to business contact records.
At a Glance
- Google’s Salesforce instance was breached via a vishing attack in June 2025
- Threat group UNC6040 (ShinyHunters) accessed low-sensitivity contact data
- Attackers mimicked Salesforce’s Data Loader to gain app authorization
- Multiple companies, including Qantas and LVMH, were targeted in related hacks
- Google warns of potential extortion through future data leak threats
Breach Mechanics and Initial Access
Google’s Threat Intelligence Group identified the breach as the result of a voice phishing (vishing) operation, where attackers posed as IT personnel to manipulate employees into approving a malicious connected app. The app mimicked Salesforce’s Data Loader utility and was deceptively labeled “My Ticket Portal” to appear legitimate. Once authorized, it allowed unauthorized extraction of business contact information from a Salesforce CRM instance.
Watch now: Chanel Salesforce Breach: ShinyHunters Targets CRM Data · YouTube
The compromised data consisted primarily of names, email addresses, and phone numbers—none of it classified as sensitive or confidential. Google stated that the breach did not impact customer systems or involve Google Cloud infrastructure. Access was swiftly revoked after the intrusion was detected.
Attribution and Extortion Risks
The threat group responsible, tracked as UNC6040 and publicly associated with ShinyHunters, has a known pattern of exfiltrating CRM data through OAuth app abuse followed by delayed extortion efforts. Google emphasized that while no ransom demand has yet occurred, it expects attempts to pressure affected organizations through potential exposure on data leak sites.
Other companies—including Allianz Life, LVMH, Qantas, Pandora, and Chanel—have reported similar Salesforce-targeted breaches. These incidents appear to be part of a broader phishing and extortion campaign using CRM system access as the main vector.
Salesforce Platform as Common Vector
Security analysts note that the attacks did not exploit software vulnerabilities, but instead abused misconfigured user permissions and social engineering to install unauthorized connected apps. This technique circumvents traditional endpoint protection and highlights the security risks tied to cloud-based CRM platforms with expansive third-party app integrations.
Salesforce customers have been urged to audit connected apps, restrict admin-level privileges, and apply IP-based login controls. The breach has also renewed calls for mandatory multi-factor authentication and real-time app authorization alerts.
Strategic Response and Industry Guidance
Google and Salesforce jointly released defensive recommendations for enterprise CRM administrators, including whitelisting approved apps, disabling unused tools like Data Loader, and using Salesforce Shield monitoring to flag anomalous activity. Additionally, employee training remains critical to preventing vishing success.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has echoed these recommendations, warning that enterprise software platforms remain high-value targets for phishing-centric threat groups due to their broad data access and low exploitation threshold.
Sources
