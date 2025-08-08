Google said a corporate Salesforce database used for small and medium business outreach was briefly accessed by criminals in June, with attackers stealing basic business contact information before access was cut off.

The company attributed the intrusion to a financially motivated group it tracks as UNC6040—widely associated with ShinyHunters—following an investigation by Google’s Threat Intelligence Group.

According to Google’s account, the data taken was confined to largely public business details such as company names, contacts, and related notes, and the breach was contained after a short window of unauthorized access.

Google did not specify how many customers were affected or whether any ransom demand was received, though it warned that the threat group often pursues extortion following data theft.

Investigators say the campaign relies on voice‑phishing tactics to impersonate IT support and trick employees into granting application access to Salesforce environments, an approach that has evolved from abusing Salesforce’s Data Loader tool to custom scripts that automate exfiltration via VPN or TOR infrastructure.

Google previously highlighted a broader wave of Salesforce‑targeting intrusions and cautioned that actors using the ShinyHunters brand may launch a data‑leak site to escalate pressure on victims.

The incident places Google among a growing list of organizations hit by Salesforce‑focused attacks this summer, with security reporters noting similar compromises at other large enterprises.

While Google emphasized that the exposed records were basic business contacts rather than consumer credentials, it said mitigations were implemented after an impact assessment and it continues to monitor for extortion or leak activity tied to the campaign