{
	"id": "adf13796-732b-4735-bc70-21996573d01f",
	"created_at": "2026-04-06T00:09:09.912867Z",
	"updated_at": "2026-04-10T03:36:00.825124Z",
	"deleted_at": null,
	"sha1_hash": "f967db30ce4ed9b46e36d65fb1c49dbb1c347b2f",
	"title": "Google suffers data breach in ongoing Salesforce data theft attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1123273,
	"plain_text": "Google suffers data breach in ongoing Salesforce data theft attacks\r\nBy Lawrence Abrams\r\nPublished: 2025-08-06 · Archived: 2026-04-05 21:05:56 UTC\r\nGoogle is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by\r\nthe ShinyHunters extortion group.\r\nIn June, Google warned that a threat actor they classify as 'UNC6040' is targeting companies' employees in voice phishing\r\n(vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to\r\nextort companies into paying a ransom to prevent the data from being leaked.\r\nIn a brief update to the article last night, Google said that it too fell victim to the same attack in June after one of its\r\nSalesforce CRM instances was breached and customer data was stolen.\r\nhttps://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"In June, one of Google's corporate Salesforce instances was impacted by similar UNC6040 activity described in this post.\r\nGoogle responded to the activity, performed an impact analysis and began mitigations,\" reads Google's update.\r\n\"The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed\r\nthat data was retrieved by the threat actor during a small window of time before the access was cut off.\"\r\n\"The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as\r\nbusiness names and contact details.\"\r\nGoogle is classifying the threat actors behind these attacks as 'UNC6040' or 'UNC6240.' However, BleepingComputer,\r\nwhich has been tracking these attacks, has learned that a notorious threat actor known as ShinyHunters is behind the attacks.\r\nShinyHunters has been around for years, responsible for a wide range of breaches, including those at PowerSchool, Oracle\r\nCloud, the Snowflake data-theft attacks, AT\u0026T, NitroPDF, Wattpad, MathWay, and many more.\r\nIn a conversation with BleepingComputer yesterday, ShinyHunters claimed to have breached many Salesforce instances,\r\nwith attacks still ongoing.\r\nThe threat actor claimed yesterday to BleepingComputer that they breached a trillion-dollar company, and were considering\r\njust leaking the data rather than attempting to extort them. It is unclear if this company is Google.\r\nAs for the other companies impacted in these attacks, the threat actor is extorting them through email, demanding they pay a\r\nransom to prevent the data from being publicly leaked.\r\nOnce the threat actor has finished privately extorting companies, they plan to publicly leak or sell data on a hacking forum.\r\nBleepingComputer has learned of one company that has already paid 4 Bitcoins, or approximately $400,000, to prevent the\r\nleak of their data.\r\nOther companies impacted in these attacks include Adidas, Qantas, Allianz Life, Cisco, and the LVMH subsidiaries Louis\r\nVuitton, Dior, and Tiffany \u0026 Co.\r\nhttps://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/"
	],
	"report_names": [
		"google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks"
	],
	"threat_actors": [
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "70929bd1-2bf9-4689-bfff-2bc6b113d3ed",
			"created_at": "2026-01-20T02:00:03.666874Z",
			"updated_at": "2026-04-10T02:00:03.916254Z",
			"deleted_at": null,
			"main_name": "UNC6040",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC6040",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434149,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f967db30ce4ed9b46e36d65fb1c49dbb1c347b2f.pdf",
		"text": "https://archive.orkl.eu/f967db30ce4ed9b46e36d65fb1c49dbb1c347b2f.txt",
		"img": "https://archive.orkl.eu/f967db30ce4ed9b46e36d65fb1c49dbb1c347b2f.jpg"
	}
}