Google has revealed customer data was exposed following a breach of a Salesforce database.
An investigation by the Google Threat Intelligence Group (GTIC) found the database, which is used to store information pertaining to small business customers, was targeted by the ShinyHunters cyber criminal group.
“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said.
“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details."
While no details on the scale of breach were disclosed by Google, ITPro has approached the company for clarification.
The admission came in the wake of an investigation into the tactics, techniques, and procedures (TTPs) of the ShinyHunters group, also known as UNC6040.
According to Google, the ransomware gang frequently targets enterprise Salesforce databases – albeit not through brute force or capitalizing on flaws, but by using social engineering techniques such as phishing or vishing.
“A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal,” the firm explained.
“This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce,” the blog post added.
“During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version.”
Upon gaining access to impacted databases, the threat group is able to access, query, and exfiltrate sensitive information directly from customer environments, the blog post noted.
“This methodology of abusing Data Loader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce in their guidance on protecting Salesforce environments from such threats,” Google said.
Google is the latest to encounter ShinyHunters
The ShinyHunters threat group has been around for some time, having claimed a number of high-profile victims in recent years. In May 2024, the ransomware outfit claimed responsibility for a breach at Santander which affected millions of customers globally.
At the time, the group said it gained access to a tranche of financial data belonging to around 30 million customers, including credit card details, which was listed on its dark web site.
That incident occurred around the same time as a major breach at Ticketmaster which affected over 560 million customers worldwide. Once again, the group listed a 1.3TB database for sale on BreachForums.
Google’s recent investigation into the ransomware group showed it is once again ramping up activities.
“We believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” the company stated in its blog post.
“We continue to monitor this actor and will provide updates as appropriate.”
William Wright, CEO of Closed Door Security, echoed the warning from Google, noting that organisations should take immediate action to shore up Salesforce database protections.
“ShinyHunters has recently executed a huge volume of attacks via Salesforce and it is essential organizations take note of these. The threat actors have also claimed many attacks are still unreported, so we can expect more victims to be announced in coming weeks," he said.
“In the wake of these attacks, organizations are recommended to take steps to secure their Salesforce databases,” Wright added.
“This can be achieved by teaching employees about this attack trend, ensuring MFA is applied to all employee and enterprise accounts, and limiting employee access to the minimum level of privileges they require.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- The ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
-
StreamOne® Ion is supercharging the service economySponsored Embracing TD SYNNEX’s converged cloud platform brings MSPs and ISVs closer to customers and hands back more control
-
The Windows 11 migration conundrum: What role can the channel play?Industry Insights Resellers are instrumental to making the right choice about the next steps...
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
A flaw in Google’s new Gemini CLI tool could’ve allowed hackers to exfiltrate dataNews The company has moved to fix a vulnerability that allowed the execution of malicious code
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so farNews A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
