Google has revealed customer data was exposed following a breach of a Salesforce database.
An investigation by the Google Threat Intelligence Group (GTIC) found the database, which is used to store information pertaining to small business customers, was targeted by the ShinyHunters cyber criminal group.
“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said.
“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details."
While no details on the scale of breach were disclosed by Google, ITPro has approached the company for clarification.
The admission came in the wake of an investigation into the tactics, techniques, and procedures (TTPs) of the ShinyHunters group, also known as UNC6040.
According to Google, the ransomware gang frequently targets enterprise Salesforce databases – albeit not through brute force or capitalizing on flaws, but by using social engineering techniques such as phishing or vishing.
“A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal,” the firm explained.
“This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce,” the blog post added.
“During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version.”
Upon gaining access to impacted databases, the threat group is able to access, query, and exfiltrate sensitive information directly from customer environments, the blog post noted.
“This methodology of abusing Data Loader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce in their guidance on protecting Salesforce environments from such threats,” Google said.
Google is the latest to encounter ShinyHunters
The ShinyHunters threat group has been around for some time, having claimed a number of high-profile victims in recent years. In May 2024, the ransomware outfit claimed responsibility for a breach at Santander which affected millions of customers globally.
At the time, the group said it gained access to a tranche of financial data belonging to around 30 million customers, including credit card details, which was listed on its dark web site.
That incident occurred around the same time as a major breach at Ticketmaster which affected over 560 million customers worldwide. Once again, the group listed a 1.3TB database for sale on BreachForums.
Google’s recent investigation into the ransomware group showed it is once again ramping up activities.
“We believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” the company stated in its blog post.
“We continue to monitor this actor and will provide updates as appropriate.”
William Wright, CEO of Closed Door Security, echoed the warning from Google, noting that organisations should take immediate action to shore up Salesforce database protections.
“ShinyHunters has recently executed a huge volume of attacks via Salesforce and it is essential organizations take note of these. The threat actors have also claimed many attacks are still unreported, so we can expect more victims to be announced in coming weeks," he said.
“In the wake of these attacks, organizations are recommended to take steps to secure their Salesforce databases,” Wright added.
“This can be achieved by teaching employees about this attack trend, ensuring MFA is applied to all employee and enterprise accounts, and limiting employee access to the minimum level of privileges they require.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- The ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
-
Cyber insurance payouts are skyrocketingNews While more companies are taking out cyber insurance, experts warn that not everything is always covered
-
Kaseya: SMBs remain cautious on AI despite persistent human error threatNews The cybersecurity vendor’s latest research reveals that trust barriers are holding AI adoption back
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Google says reports of a 'huge' Gmail breach affecting millions of users are false, againNews Reports of a major Gmail affecting millions of users have been flooding the web this week – Google says they're "false" and you've nothing to worry about.
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
This new Android attack could let hackers swipe 2FA codes and snoop on private messages – ‘Pixnapping’ affects Samsung and Google smartphones, but experts warn more could be at riskNews Pixnapping allows attackers to steal two-factor authentication (2FA) codes, private messages, and even financial information.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
The Salesloft hackers claim they have 1.5 billion compromised Salesforce recordsNews Dozens of big tech companies have been impacted by the Salesloft Drift attacks
