In a significant security incident, Google has acknowledged that one of its internal databases was compromised by the notorious cybercriminal group known as ShinyHunters (also identified as UNC6040). The Google Threat Intelligence Group (GTIC) reported that the unauthorized access to its Salesforce database occurred in June and involved the exposure of sensitive data belonging to its small and medium-sized business clients.
The company assured stakeholders that the breach was swiftly contained, noting that the hackers had access for only a “short window of time.” The compromised data, described as “basic and largely publicly available,” included business names, contact information, and related notes. While Google did not disclose the full extent of the breach, it underscores an escalating security threat that can affect organizations of all sizes, including major tech firms.
Social Engineering Over Technical Exploits
This incident did not result from traditional hacking methods exploiting software vulnerabilities; instead, it was executed through a sophisticated social engineering tactic. The attackers employed a technique known as vishing (voice phishing) to impersonate a company’s IT support during a phone call.
In this call, they deceived a Google employee into approving a malicious application that masqueraded as the legitimate Salesforce Data Loader. This rogue application provided the hackers with the means to access the database, facilitating data theft.
According to research from the Google Threat Intelligence Group, the UNC6040 group is primarily responsible for the breaches, while another group, UNC6240, specializes in extortion tactics demanding Bitcoin payments within constrained timeframes. Furthermore, Google has indicated that these attackers may be enhancing their operational tools with potential plans to establish a Data Leak Site (DLS) to apply further pressure on their victims.
“The revelation that Google has fallen victim to a data breach during this recent wave of ShinyHunters attacks signals that no organization is immune to the threat of cybercrime,” stated William Wright, CEO of Closed Door Security. “Regardless of whether you are a small enterprise or a leading technology company, the vulnerability remains,” he emphasized, advocating for robust employee training and the implementation of multi-factor authentication as essential measures for mitigating such attacks at their initial stages.
An Expanding Threat Landscape
This breach aligns with a broader trend of attacks orchestrated by the ShinyHunters group. Over the past year, reports indicate that this group has been implicated in several high-profile cyber incidents, including a substantial breach at Santander bank in May 2024 and another affecting over 560 million customers globally at Ticketmaster.
The threat from ShinyHunters persists, as the luxury fashion brand Chanel recently disclosed a data breach in July, which impacted some US customers through a third-party Salesforce database. Google’s report serves as a stark reminder that this group may be escalating its activities, potentially launching a DLS to further exert pressure on victims.
In light of this attack, Google affirmed its commitment to securing its systems and promptly notifying affected clients. The company urges other organizations to bolster their defenses through enhanced employee education, multi-factor authentication, and stricter access controls. These measures are crucial for mitigating the risks associated with social engineering and protecting sensitive data.
