Google has confirmed a recent data breach carried out by the ShinyHunters hacking group, targeting one of its internal Salesforce databases.
The breach exposed contact details and notes tied to small and medium-sized businesses using Google services.
This wasn’t your typical software vulnerability. Instead, hackers used a phone-based vishing scam, posing as IT support to convince a Google employee to install a fake Salesforce Data Loader app. That app quietly pulled data from the internal system before access was cut off.
Google says the attackers only had access for a short time, and the stolen data was limited to business contact information that’s mostly public.
The Attack Path (Source: Google Cloud)
Voice Phishing is on the Rise
The group behind the intrusion, known as UNC6040, has used voice phishing tactics repeatedly. Their process involves impersonating IT staff, tricking employees during phone calls, and guiding them to approve a connected app that enables unauthorized access to Salesforce environments.
Once inside, they extract business data and hand it off to a partner group, UNC6240, which handles the extortion. Victims often receive follow-up emails demanding Bitcoin within 72 hours. There’s also growing concern that the group may launch a public data leak site to ramp up pressure on targets.
These tactics aren’t new, but they’re proving to be effective, especially against organizations that aren’t training staff to spot social engineering attempts.
A Bigger Problem in Motion
The Google breach is just one of many recent attacks. ShinyHunters has also been tied to high-profile incidents at Ticketmaster, Chanel, Adidas, Louis Vuitton, and other groups. All of these cases involved Salesforce data and similar social engineering methods.
ShinyHunters Selling Ticketmaster Data on Dark Web
While Google moved quickly to shut down access and notify those affected, this string of attacks shows how valuable basic business data can be when used for scams, extortion, or impersonation.
TROYPOINT Tip: Never worry about identity theft again by using Aura, which is TROYPOINT’s recommended identity theft protection!
Aura Identity Theft Protection Review
Final Thoughts
Google’s breach should be a wake-up call for companies of all sizes. This attack didn’t rely on sophisticated code or hidden exploits—it succeeded with a phone call.
Organizations need to train employees on how to spot and shut down these tactics before any data is accessed. If a tech leader like Google can fall victim, small businesses must take threats like these seriously.
For more information on this story, refer to the official article from Google Cloud and the recap from Hackread.
We want to know your thoughts. What do you think about this story? Let us know in the comment section below!
Be sure to stay up-to-date with the latest streaming news, reviews, tips, and more by following the TROYPOINT Advisor with updates weekly.
This page includes affiliate links where TROYPOINT may receive a commission at no extra cost to you. Many times, visitors will receive a discount due to the special arrangements made for our fans. Learn more on my Affiliate Disclaimer page.
