{"id":14582,"date":"2025-08-07T11:48:41","date_gmt":"2025-08-07T11:48:41","guid":{"rendered":"https:\/\/newestek.com\/?p=14582"},"modified":"2025-08-07T11:48:41","modified_gmt":"2025-08-07T11:48:41","slug":"we-too-were-breached-says-google-months-after-revealing-salesforce-attacks","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14582","title":{"rendered":"\u2018We too were breached,\u2019 says Google, months after revealing Salesforce attacks"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Google has now confirmed that it too was impacted by the Salesforce data theft attacks originally uncovered by its own threat intelligence group (GTIG) in June.<\/p>\n

In an August 5 update to its June disclosure about an ongoing voice phishing (vishing) campaign targeting Salesforce customers, Google revealed that information related to some of its own customers was compromised.<\/p>\n

\u201cIn June, one of Google\u2019s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post,\u201d Google said in the update to the June disclosure that revealed details of the \u201cVoice Phishing to Data Extortion<\/a><\/strong>\u201d attacks. \u201cThe instance was used to store contact information and related notes for small and medium businesses,\u201d the post noted.<\/p>\n

The campaign is attributed to a threat group Google tracks as UNC6040, which, after breaching Salesforce, moves laterally across cloud services, targeting tools like Okta, Microsoft 365, and Workplace to widen the scope of the breach.<\/p>\n

According to David Stuart, cybersecurity Evangelist, Sentra, theft of Google-hosted data makes sense. \u201cThis breach is the latest in a string of attacks targeting Salesforce environments, from Qantas to Pandora and now Google,\u201d he said. \u201cIt\u2019s a clear signal that attackers are focusing on where data is most concentrated, and often least visible \u2014 within cloud SaaS applications.\u201d<\/p>\n

Stolen data is publicly available: Google<\/h2>\n

According to the update, the breach is likely to have a minimal impact due to the nature of the stolen data. \u201cThe data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,\u201d the update said.<\/p>\n

Google\u2019s security team was able to contain the theft mid-process.\u201cAnalysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,\u201d Google said. In the June disclosure, the cloud leader had said something similar without naming itself as the victim. \u201cIn one instance, a threat actor used small chunk sizes for data exfiltration from Salesforce but was only able to retrieve approximately 10% of the data before detection and access revocation,\u201d it had noted.<\/p>\n

Google did not comment on whether it was aware of the theft of its own data while disclosing the campaign. <\/p>\n

The breach\u2019s long-term consequences may be more serious, warned Ben McCarthy, lead cyber security engineer at Immersive. \u201cA key issue is the personal information being accessed in these attacks, such as names and dates of birth, is information that can\u2019t be changed,\u201d he said. \u201cThese details, as well as email addresses, are weaponised by cybercriminals for phishing attacks.\u201d<\/p>\n

This concern is further amplified by the threat actors themselves, who have reportedly confirmed (partially) the breach and claimed they\u2019re considering just leaking the data instead of extorting Google.<\/p>\n

Attackers may have claimed a Google breach, too<\/h2>\n

GTIG had also disclosed extortion activities related to UNC6040 intrusions, sometimes carried out several months after the initial data theft, by another threat group, UNC6240, which identified themselves as the notorious BreachForums admin \u2018ShinyHunters\u2019.<\/p>\n

At the time, the GTIG team had presumed the claim to be a stunt to put pressure on victims for speeding up payments, which were to be made in bitcoins within 72 hours.<\/p>\n

While the attribution hasn\u2019t been confirmed yet, a BleepingComputer report says it had a conversation with ShinyHunters on Monday, August 5, who claimed to have breached many Salesforce instances in an ongoing attack, including a trillion-dollar company, without confirming it to be Google. ShinyHunters also reportedly told BleepingComputers of their \u2018just leaking the data\u2019 plans for data stolen from this company.<\/p>\n

This revelation is particularly interesting given reports of an alleged arrest of ShinyHunters<\/a>, along with four other BreachForums admins, including IntelBroker, by the French Police in mid-June.<\/p>\n

Concerns are likely to escalate if ShinyHunters are indeed behind these attacks. The former admin of the infamous BreachForums <\/a>hack site has long been a fixture in the cyberthreat landscape. Among the group\u2019s most high-profile claims are breaches involving PowerSchool, Oracle Cloud, Snowflake data-theft attacks, AT&T, and Microsoft\u2019s private GitHub repositories.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Google has now confirmed that it too was impacted by the Salesforce data theft attacks originally uncovered by its own threat intelligence group (GTIG) in June. In an August 5 update to its June disclosure about an ongoing voice phishing (vishing) campaign targeting Salesforce customers, Google revealed that information related to some of its own customers was compromised. \u201cIn June, one of Google\u2019s corporate Salesforce… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14582","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14582","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14582"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14582\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14582"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}