Google Uncovers Widespread Salesforce Data Theft & Extortion Campaign

Key Takeaways

• Google Hit by Salesforce Data Breach: Google confirmed that a corporate Salesforce instance was accessed by threat group UNC6040 using voice phishing tactics.
• Attackers Exploited Human Trust: No software vulnerabilities were involved—employees were tricked into authorizing malicious apps over the phone.
• Delayed Extortion Tied to ‘ShinyHunters’: A second group, UNC6240, follows up months later with bitcoin ransom demands, claiming affiliation with ShinyHunters.
• Custom Tools & VPNs Complicate Detection: Attackers used custom Data Loader scripts and VPNs like Mullvad to exfiltrate data and hide their tracks.
• Mitigation Requires User Training and Access Controls: Organizations are urged to limit powerful Salesforce permissions, monitor connected apps, and train users to recognize social engineering.

Deep Dive

It all starts with a phone call. Not a suspicious link. Not malware. Just a convincing voice on the other end of the line, claiming to be IT support. Before long, a well-meaning employee is clicking through a Salesforce setup page and, unwittingly, handing over the keys to their company’s data kingdom.

This isn’t a scene from a cyber-thriller. It’s the real-life playbook of UNC6040, a financially motivated threat actor that Google’s Threat Intelligence Group (GTIG) has been tracking closely. Over the past several months, the group has pulled off a string of high-impact intrusions by using voice phishing (“vishing”) to worm their way into Salesforce environments, exfiltrate data, and then, sometimes months later, come back to extort their victims under a different name.

The strategy isn’t exactly new, threat actors have been pretending to be IT support for years. But UNC6040 has raised the bar. Their operators aren’t stumbling through scripts. They’re smooth, technically convincing, and crucially, targeting the right people: employees in English-speaking divisions of multinational companies who have just enough access to cause damage.

The attacker’s goal? Convince the victim to authorize a connected Salesforce app, often disguised as a modified version of Salesforce’s own Data Loader. Once access is granted, the tool quietly siphons out customer data (names, contact details, business notes) without tripping alarms. And all of this happens without exploiting any Salesforce vulnerability. The only flaw is human.

In June, one of those humans worked for Google.

Google Confirms Breach but Downplays Damage

Google revealed this week that one of its corporate Salesforce instances was hit by UNC6040 in June. The attackers managed to retrieve basic business contact data belonging to small and medium-sized companies. According to Google, the information was “largely publicly available,” and the breach window was narrow.

Still, the incident illustrates just how effective this campaign has become—even the most tech-savvy companies can get caught off guard when the attack vector is a pleasant-sounding stranger on the phone.

From Breach to Blackmail

But the story doesn’t end with data theft. Some time after the initial breach, another actor enters the scene—UNC6240, a likely extension (or partner) of UNC6040. These folks handle the dirty work, like calling or emailing victims and demanding bitcoin payments, usually with a 72-hour deadline. They don’t whisper threats, they shout them, claiming to be part of the notorious ShinyHunters group.

And now they may be preparing to take things public. Google says a data leak site could be in the works—another tactic to crank up the pressure and turn private breaches into reputational crises.

Infrastructure and Evolution

GTIG’s report reads like a case study in attacker adaptation. Where UNC6040 once used Salesforce’s native Data Loader app, they now lean on custom Python scripts. Where they once created fake Salesforce trial accounts with webmail, they now use compromised accounts from real companies. They’re routing activity through TOR, using Mullvad VPNs, and even spoofing Okta login pages during social engineering calls.

There’s also overlap, both in infrastructure and playbook, with actors tied to “The Com,” a loose-knit cybercriminal community. While it’s not clear if UNC6040 and these other groups are formally connected, they seem to share tools, tactics, and possibly members.

The scariest part? There’s no exotic zero-day exploit here. No malware buried in a PDF. Just old-fashioned manipulation, a custom app, and a little OAuth magic.

This campaign reinforces what many security professionals already know but often struggle to act on: the biggest vulnerability is not the software, it’s the user. Especially the user answering an unexpected support call.

Even scarier is the lag between breach and extortion. By the time a company realizes it’s been compromised, the attacker might already be gone. But they’re not done. They’re just waiting for the right moment to demand a ransom, and maybe leak some data while they’re at it.

UNC6040 didn’t invent vishing. But they’ve refined it, packaged it with custom tooling, and coupled it with extortion tactics that turn data theft into long-term leverage. And now, they’ve proven they can hit the big leagues—Google included.

Cybersecurity isn’t just about patching vulnerabilities. It’s about preparing your people. Because the next breach might not start with code. It might start with, “Hi, this is IT. Can you help me troubleshoot something?”

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.