5 Things To Know On Salesforce Data Theft Attacks

The attacks linked to a threat group known as ShinyHunters have now compromised Google in addition to numerous other major companies.

A wave of data-theft attacks against Salesforce CRM customers has now compromised Google in addition to numerous other major companies.

The attacks have been linked to a threat group known as ShinyHunters and have struck high-profile targets in a variety of industries in recent months.

[Related: 10 Major Cyberattacks And Data Breaches In 2025 (So Far)]

The vishing campaigns have been “specifically designed to compromise organizations' Salesforce instances for large-scale data theft and subsequent extortion,” the Google Threat Intelligence Group said in a post.

In a statement provided to CRN, a Salesforce spokesperson noted that the company “has not been compromised and this issue is not due to any known vulnerability in our platform.”

Customers “play a critical role in keeping their data safe—especially amid a rise in sophisticated phishing and social engineering attacks,” the Salesforce statement said. “We continue to encourage all customers to follow security best practices, including enabling multi-factor authentication (MFA), enforcing the principle of least privilege, and carefully managing connected applications.”

What follows are five things to know about the recent wave of Salesforce data theft attacks.

Vishing Tactics Utilized

The attackers—which are tracked by Google as UNC6040 and have claimed affiliation with the well-known ShinyHunters group—have frequently utilized voice phishing, or vishing, tactics as part of the recent Salesforce data theft campaign, according to the post from the Google Threat Intelligence Group.

For instance, “during a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version,” the Google researchers wrote. “This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.”

Google Itself Compromised

In an update Tuesday to its post about the Salesforce data theft campaign, Google said that one of its own corporate Salesforce instances “was impacted by similar UNC6040 activity described in this post” in June.

The impacted Salesforce instance has been used for storage of contact information and “related notes” for SMBs, Google said in the update.

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said. “The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”

In its statement provided to CRN, Salesforce said that “Google is a valued customer, and our teams are proactively engaged to support them in any way they need.”

Numerous High-Profile Targets

According to BleepingComputer, the list of impacted businesses includes Adidas, Allianz Life and Australian airline Qantas, as well as subsidiaries of luxury goods holding company LVMH including Louis Vuitton, Dior and Tiffany & Co.

This week, other companies that have reportedly confirmed being impacted in the attacks, in addition to Google, include jewelry company Pandora and luxury fashion brand Chanel.

Cisco disclosed this week that a threat actor was able to access non-sensitive Cisco.com user data stored in a third-party CRM system, in an attack that also involved vishing. The company did not identify the CRM vendor impacted in the attack.

Data Extortion Attempted

Following UNC6040-linked intrusions, Google Threat Intelligence Group said it has tracked data extortion activities that are sometimes launched “several months after the initial data theft.”

“The extortion involves calls or emails to employees of the victim organization demanding payment in bitcoin within 72 hours,” the Google researchers said. “During these communications, UNC6240 has consistently claimed to be the threat group ShinyHunters.”

ShinyHunters has previously been linked to data theft campaigns such as the widespread attacks targeting Snowflake customers in 2024.

BleepingComputer reported Wednesday that at least one impacted company has already made an extortion payment in an attempt to prevent their data from being leaked.

Google Threat Intelligence Group researchers wrote that the Salesforce data theft campaign “underscores the importance of a shared responsibility model for cloud security.”

“While platforms like Salesforce provide robust, enterprise-grade security controls, it’s essential for customers to configure and manage access, permissions and user training according to best practices,” the researchers wrote.

Key actions to explore include implementing a least-privileged approach for data access tools, rigorous management of access to connected applications, enforcement of IP-based access restrictions and universal enforcement of MFA.

Organizations might also explore utilizing advanced security monitoring and policy enforcement available through Salesforce Shield, Google researchers wrote.