What data was compromised in the Google Salesforce breach?

The attackers accessed business customer data, including names and contact details, stored within Google's Salesforce instance.

How can organizations protect against similar vishing attacks?

Organizations should implement comprehensive employee training programs to recognize and resist social engineering tactics, enforce strict access controls, and regularly audit connected applications for security vulnerabilities.

Analyzing the UNC6040 Breach of Google's Salesforce Instance

A detailed examination of the June 2025 cyberattack on Google's Salesforce platform by UNC6040, exploring the attack vectors and preventive measures.

Published: April 18, 2026

Share this on:

Executive Summary

In June 2025, Google's internal Salesforce instance was compromised by the cybercriminal group UNC6040, also known as ShinyHunters. The attackers employed a sophisticated voice phishing (vishing) campaign, impersonating IT support to deceive employees into installing a malicious version of Salesforce's Data Loader application. This granted unauthorized access to sensitive business customer data, including names and contact details. The breach was swiftly identified and contained by Google, minimizing the exposure of sensitive information. (avertium.com)

This incident underscores the escalating threat posed by social engineering attacks targeting cloud-based platforms. Organizations are urged to enhance their security measures, particularly in training employees to recognize and resist such deceptive tactics, to prevent similar breaches in the future.

Why This Matters Now

The increasing prevalence of social engineering attacks, such as vishing, highlights the urgent need for organizations to bolster their cybersecurity defenses and employee training programs to mitigate the risk of data breaches.

Attack Path Analysis

UNC6040 initiated the attack by impersonating IT support to deceive employees into authorizing a malicious Salesforce Data Loader application. This granted the attackers elevated privileges within the Salesforce environment, enabling them to exfiltrate sensitive customer data. Subsequently, they moved laterally to other connected platforms, such as Okta and Microsoft 365, to expand their access. The attackers established command and control by maintaining persistent access through the authorized malicious application. They exfiltrated large volumes of data using API queries and later attempted to extort the victim organizations by threatening to release the stolen data. The impact included significant data breaches, potential reputational damage, and financial losses due to extortion demands.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

High

Initial Compromise

Description

UNC6040 impersonated IT support personnel to deceive employees into authorizing a malicious Salesforce Data Loader application.

Confidence:

High

MITRE ATT&CK® Techniques

Defense Evasion

T1578.005

Modify Cloud Compute Configurations

Resource Development

T1586.003

Compromise Accounts: Cloud Accounts

Discovery

T1580

Cloud Infrastructure Discovery

Execution

T1651

Cloud Administration Command

Resource Development

T1585.003

Establish Accounts: Cloud Accounts

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Review and manage user access rights

Control ID: 7.2.5

The incident highlights inadequate management of user access rights, leading to excessive permissions and potential unauthorized access.

NYDFS 23 NYCRR 500 – Access Privileges

Control ID: 500.07

Failure to limit user access privileges to information systems and data necessary for job functions contributed to the security breach.

DORA – ICT Risk Management Framework

Control ID: Article 5

The incident underscores deficiencies in the ICT risk management framework, particularly in managing access controls and permissions.

CISA ZTMM 2.0 – Implement least privilege access

Control ID: Identity and Access Management

The breach resulted from not enforcing least privilege access principles, allowing users excessive permissions beyond their roles.

NIS2 Directive – Cybersecurity risk-management measures

Control ID: Article 21

The event reveals shortcomings in implementing appropriate cybersecurity risk-management measures, especially concerning access control policies.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

Salesforce permission misconfigurations expose customer data and financial records, violating PCI compliance requirements and enabling lateral movement attacks.

Health Care / Life Sciences

Cloud misconfiguration vulnerabilities in Salesforce environments risk HIPAA violations through unauthorized access to patient data and medical records.

Computer Software/Engineering

Organizations using Salesforce for development operations face privilege escalation risks through connected app vulnerabilities and API permission misconfigurations.

Professional Training

Educational organizations leveraging Salesforce CRM systems vulnerable to data exfiltration through inadequate zero trust segmentation and egress controls.

Sources

Auditing Salesforce Permission Hierarchies with ForceHoundhttps://www.netspi.com/blog/technical-blog/web-application-pentesting/auditing-salesforce-permission-hierarchies-with-forcehound/
Verified

FBI Issues Salesforce Instance Warning Over 'ShinyHunters' Data Thefthttps://www.salesforceben.com/fbi-issues-salesforce-instance-warning-over-shinyhunters-data-theft/

Verified

Salesforce platforms are being cracked open for data theft - FBI warns of UNC6040 and UNC6395 IOCshttps://www.techradar.com/pro/security/salesforce-platforms-are-being-cracked-open-for-data-theft-fbi-warns-of-unc6040-and-unc6395-iocs

Verified

Google Exposes Vishing Group UNC6040 Targeting Salesforce with Fake Data Loader Apphttps://thehackernews.com/2025/06/google-exposes-vishing-group-unc6040.html

Verified

Frequently Asked Questions

UNC6040 employed voice phishing (vishing) to impersonate IT support, convincing employees to install a malicious version of Salesforce's Data Loader application, thereby gaining unauthorized access.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to move laterally and exfiltrate data undetected.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may have been constrained by limiting unauthorized application deployments within the cloud environment.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict identity-aware access controls.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement may have been constrained by monitoring and controlling east-west traffic between workloads.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control channels could have been limited by providing comprehensive visibility and control across multicloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts may have been constrained by enforcing strict egress policies and monitoring outbound traffic.

Impact (Mitigations)

The overall impact of the attack could have been limited by reducing the attacker's ability to access and exfiltrate sensitive data.

Impact at a Glance

Affected Business Functions

Customer Relationship Management (CRM)
Sales Operations
Customer Support
Data Analytics

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Customer contact information, sales data, and potentially sensitive business records.

Recommended Actions

• Implement API Access Control to restrict OAuth applications to those explicitly approved by administrators.
• Enforce Multi-Factor Authentication (MFA) for all user accounts to add an additional layer of security.
• Conduct regular audits of connected applications and their permissions to identify and revoke unauthorized access.
• Provide comprehensive training to employees on recognizing and reporting social engineering attempts, such as vishing.
• Utilize anomaly detection systems to monitor for unusual data access patterns and potential exfiltration activities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Analyzing the UNC6040 Breach of Google's Salesforce Instance

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Modify Cloud Compute Configurations

Compromise Accounts: Cloud Accounts

Cloud Infrastructure Discovery

Cloud Administration Command

Establish Accounts: Cloud Accounts

Potential Compliance Exposure

PCI DSS 4.0 – Review and manage user access rights

NYDFS 23 NYCRR 500 – Access Privileges

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Implement least privilege access

NIS2 Directive – Cybersecurity risk-management measures

Sector Implications

Financial Services

Health Care / Life Sciences

Computer Software/Engineering

Professional Training

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads