Google revealed that it’s the latest major company victim in a series of data breaches involving the exploitation of Salesforce CRM users. ShinyHunter, the threat actor, used social engineering tactics to impersonate IT support staff in phone calls to employees of target businesses.

As of now, Google is referring to the perpetrators as “UNC6040” or “UNC6240.” However, BleepingComputer’s own investigation revealed the identity of the attackers to be ShinyHunters, which has also targeted Qantas, Allianz Life, LVMH, and Adidas with the same Salesforce vulnerability.

ShinyHunters themselves claimed to have successfully breached a “trillion dollar” company, but would not confirm if it was Google. The true scale of the breach is not yet known, as it is an ongoing and dynamic situation. However, ShinyHunters is well-known for typically extorting businesses to pay a ransom for their stolen data or auctioning it off on the dark web.

Attackers used vishing and phishing to trick Salesforce users into granting OAuth access to a maliciously cloned version of Salesforce’s Data Loader app. By impersonating IT staff, they directed victims to Salesforce’s connected app setup page and had them enter a “connection code,” linking the rogue app to the company’s CRM instance.

In some cases, the tool was renamed (e.g., “My Ticket Portal”) to appear legitimate. Once connected, the attackers could query and export Salesforce data objects like “Accounts” and “Contacts,” bypassing normal login controls and MFA, and then use the stolen data for extortion.

Google stated that the affected instance was used to “store contact information and related notes for small and medium businesses.” However, it provided some assurance, stating that its analysis revealed the data was only “retrieved by the threat actor during a small window of time before the access was cut off” and that it was “confined to basic and largely publicly available business information, such as business names and contact details.”

ShinyHunters is a notorious hacking group that has been one of the most active in recent years. They were implicated in a 2024 Ticketmaster hack involving 1.3TB of data of over 560 million customers — one of the largest leaks in history. Earlier in the same year, they were found trying to sell 70 million customer records stolen from AT&T.