Google Confirms CRM Breach in Ongoing ShinyHunters Data Theft Campaign

Google confirmed it was among the victims in an ongoing campaign of Salesforce CRM data theft linked to the financially motivated threat group UNC6040, also known as ShinyHunters. The compromised occurred in June 2025, the attackers leveraged voice phishing (vishing) tactics to trick employees into authorizing access to a corporate Salesforce instance. Once access was granted, the threat actor exfiltrated data during what Google describes as a “small window of time before the access was cut off.” The impacted instance was used for small and medium business outreach, and "the data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details," explains Google. While no sensitive or personal data was reportedly compromised in this case, the intrusion is part of a broader trend that has targeted several high-profile organizations using similar tactics.

ShinyHunters has escalated their attack methodology beyond Salesforce’s official tools. Initial operations relied on misusing Salesforce’s Data Loader app, but recent intrusions have seen the threat actors shift to custom Python-based scripts that achieve the same functionality. These applications are typically granted access through convincing vishing calls in which attackers impersonate IT support, guiding employees to authorize malicious connected apps. Once access is secured, data exfiltration is conducted using chunked queries to avoid detection, sometimes retrieving entire data tables depending on the intrusion’s duration. Notably, Google’s Threat Intelligence Group observed that UNC6040 utilized VPN and Tor infrastructure to mask their activity, complicating attribution efforts. The actors also used compromised Salesforce trial accounts or legitimate user accounts from other organizations to register malicious apps, adding another layer of obfuscation.

This intrusion is part of a wider, active campaign that has affected multiple organizations including Adidas, Cisco, Qantas, Allianz Life, and subsidiaries of LVMH. In some cases, ShinyHunters has extorted victims via email, demanding payment in Bitcoin to prevent public leaks. Google has attributed post-breach extortion attempts to UNC6240, an affiliate or evolution of UNC6040, which continues to pressure victims through sustained email threats. While Google’s impact was limited to non-sensitive data, other organizations have reportedly paid significant ransoms to prevent leaks—one such company paid approximately $400,000. ShinyHunters claimed in communication with media that they had breached a “trillion-dollar company,” though it remains unconfirmed if that reference was to Google.