Rahul Somvanshi
ShinyHunters hackers accessed a Google corporate Salesforce instance in June 2025, compromising basic business contact information that puts Gmail users at risk of sophisticated phishing attempts.
Voice Tricks Led to Salesforce Access
ShinyHunters (tracked as UNC6040 for intrusion activities and UNC6240 for extortion activities) successfully targeted a Google employee through voice phishing in June 2025. The attack compromised Google’s Salesforce corporate instance, exposing basic business information including business names and contact details.
Google’s Threat Analysis Group confirmed on August 5: “No passwords or financial information were taken. The breach was limited to largely publicly available business information.”
The hackers deployed a malicious connected app with OAuth functionality similar to Salesforce’s Data Loader. This approach grants API-level access during a legitimate user session, effectively bypassing additional authentication requirements.
Multiple Organizations Targeted
The breach extends beyond Google as part of a campaign targeting multiple organizations using Salesforce, with companies like Adidas, Qantas, and Allianz Life reportedly affected according to their disclosures.
Following intrusions, Google tracks related extortion activity as UNC6240, which issues bitcoin ransom demands. Google notes that actors using the ShinyHunters brand may be preparing a data leak site that would publish stolen information from breach victims.
Evolving Attack Techniques
Security experts have documented that these attackers typically target English-speaking branches of multinational companies, as confirmed by Google’s threat intelligence. Many phishing attempts impersonate Google support personnel.
Google states: “We will never call you to ask for codes or passwords.”
Google has also documented how attackers are exploring AI assistants and prompt manipulation as potential avenues for future attacks, though these techniques have not been specifically confirmed in this campaign.
Security Steps for Users
Google sent notifications to affected users on August 8, 2025. Recommended actions include:
- Run Google’s Security Checkup
- Enable passkeys or multi-factor authentication
- Be cautious of calls claiming to be from Google
- Never share verification codes or passwords via phone or email
- Review third-party app access to Google accounts
For Salesforce users, Google and Salesforce recommend implementing connected app governance, limiting OAuth scopes, enforcing IP-based restrictions where appropriate, and monitoring for unusual API activity or large data exports.
Previous Incidents
Previous Google security incidents include the Google+ API exposure disclosed in 2018, the Google Docs OAuth phishing attack mitigated in May 2017, Gooligan malware documented in 2016, and a Gmail credential dump in 2014 where Google stated its systems were not breached.
As of August 28, 2025, Google continues to investigate the incident, with ongoing monitoring for phishing attempts using the compromised information.Google and Salesforce continue investigating the full system impact of the incident.
