Google’s Threat Intelligence Group has confirmed that a hacking group successfully breached one of its corporate Salesforce databases, leading to the theft of customer information. The incident is part of a wider, sophisticated social engineering campaign that has affected numerous companies by exploiting third-party software platforms.
The Vishing Campaign That Tricked an Employee
The breach was attributed to a threat cluster identified as UNC6040, a financially motivated group specializing in voice phishing, or “vishing,” campaigns. According to Google, the attackers used social engineering tactics to impersonate I.T. support and trick a company employee into granting them access to a Salesforce instance. This method allowed the hackers to bypass security measures and exfiltrate data before access was cut off.
What Was Taken and Who Else Is Affected
The stolen information was described as “basic and largely publicly available business information,” including company names and contact details for Google’s small and medium-sized business customers. Google confirmed that no financial records or passwords were compromised. The company is one of several high-profile victims in a recent series of similar attacks. Other companies affected by this widespread campaign targeting Salesforce environments include Chanel, Pandora, Cisco, and LVMH subsidiaries. These incidents highlight the risk associated with third-party vendors and the interconnectedness of modern corporate systems.
FCRF Launches India’s Premier Certified Data Protection Officer Program Aligned with DPDP Act
Hacker Tactics Are Evolving
Google’s analysis of the attack revealed that the threat actors have been evolving their methods. While they initially used Salesforce’s Data Loader application to steal data, they have since switched to using custom Python scripts and accessing systems through TOR IP addresses to complicate attribution and tracking efforts. Google’s intelligence group is now tracking the extortion activities of the group, sometimes months after the initial data theft, as UNC6240. The group is suspected of contacting victims and threatening to release stolen data if ransom demands are not met.
Salesforce Maintains Its Platform Is Secure
In response to the series of breaches, Salesforce has stated that its core platform has not been compromised and that the incidents are not due to any known vulnerabilities in its system. Instead, the company asserts that the attacks are a result of customers being manipulated through social engineering. Salesforce has advised its clients to enforce strict security measures, such as enabling multi-factor authentication and auditing connected applications, to protect their data from these types of targeted attacks.