Wednesday, August 6, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Google says the group behind last year’s Snowflake attack slurped data from one of its Salesforce instances

TH Author

Google confirmed that criminals breached one of its Salesforce databases and stole info belonging to some of its small-and-medium-business customers.

In a late-Tuesday update to an earlier blog post, Google Threat Intelligence admitted that one of the Chocolate Factory’s corporate Salesforce instances was among those looted by a gang it tracks as UNC6040, which is associated with ShinyHunters.

The intrusion occurred in June, and the Salesforce database stored “contact information and related notes for small and medium businesses,” which ShinyHunters swiped “during a a small window of time before the access was cut off,” according to the threat intel team.

“The data retrieved by the threat actor was confined to basic and largely publicly-available business information, such as business names and contact details,” Google added.

Google declined to provide additional information about the break-in, including if the attackers demanded an extortion payment.

The admission about its own Salesforce database breach appeared in an update to a June blog about UNC6040 and another financially motivated threat group that Google calls UNC6240, which is also linked to ShinyHunters.

The criminals likely used voice phishing or some other type of social engineering scam to gain initial access to victims’ Salesforce databases, but in an unusual twist, the miscreants may be developing a data-shaming site to further bilk victims.

“We believe threat actors using the ‘ShinyHunters’ brand may be preparing to escalate their extortion tactics by launching a data leak site,” the update says. “These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches. We continue to monitor this actor and will provide updates as appropriate.”

As The Register readers likely remember that ShinyHunters was the crew behind last year’s Snowflake customers’ database intrusions

ShinyHunters are also the prime suspects in a rash of similar Salesforce intrusions this summer whose victims include fashion houses Dior and Chanel, jewelry retailer Pandora, and possibly financial services biz Allianz

READ MORE HERE