Google has revealed customer data was exposed following a breach of a Salesforce database.
An investigation by the Google Threat Intelligence Group (GTIC) found the database, which is used to store information pertaining to small business customers, was targeted by the ShinyHunters cyber criminal group.
“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said.
“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details."
While no details on the scale of breach were disclosed by Google, ITPro has approached the company for clarification.
The admission came in the wake of an investigation into the tactics, techniques, and procedures (TTPs) of the ShinyHunters group, also known as UNC6040.
According to Google, the ransomware gang frequently targets enterprise Salesforce databases – albeit not through brute force or capitalizing on flaws, but by using social engineering techniques such as phishing or vishing.
“A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal,” the firm explained.
“This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce,” the blog post added.
“During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version.”
Upon gaining access to impacted databases, the threat group is able to access, query, and exfiltrate sensitive information directly from customer environments, the blog post noted.
“This methodology of abusing Data Loader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce in their guidance on protecting Salesforce environments from such threats,” Google said.
Google is the latest to encounter ShinyHunters
The ShinyHunters threat group has been around for some time, having claimed a number of high-profile victims in recent years. In May 2024, the ransomware outfit claimed responsibility for a breach at Santander which affected millions of customers globally.
At the time, the group said it gained access to a tranche of financial data belonging to around 30 million customers, including credit card details, which was listed on its dark web site.
That incident occurred around the same time as a major breach at Ticketmaster which affected over 560 million customers worldwide. Once again, the group listed a 1.3TB database for sale on BreachForums.
Google’s recent investigation into the ransomware group showed it is once again ramping up activities.
“We believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” the company stated in its blog post.
“We continue to monitor this actor and will provide updates as appropriate.”
William Wright, CEO of Closed Door Security, echoed the warning from Google, noting that organisations should take immediate action to shore up Salesforce database protections.
“ShinyHunters has recently executed a huge volume of attacks via Salesforce and it is essential organizations take note of these. The threat actors have also claimed many attacks are still unreported, so we can expect more victims to be announced in coming weeks," he said.
“In the wake of these attacks, organizations are recommended to take steps to secure their Salesforce databases,” Wright added.
“This can be achieved by teaching employees about this attack trend, ensuring MFA is applied to all employee and enterprise accounts, and limiting employee access to the minimum level of privileges they require.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoing
Google issues warning over ShinyHunters-branded vishing campaigns
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documents
The FBI has seized the RAMP hacking forum, but will the takedown stick? History tells us otherwise
Everything we know so far about the Nike data breach
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radar
Hacker offering US engineering firm data online after alleged breach
Cybersecurity experts face 20 years in prison following ransomware campaign
