Google confirms data breach after cyberattack on Salesforce database: What’s leaked

Google has confirmed that one of its Salesforce systems used for storing small and medium business contact data was briefly compromised by a cybercriminal group known as UNC6040, which uses voice phishing or “vishing”, to trick employees into handing over access to sensitive tools.

Hackers impersonated IT support staff

The attackers used a social engineering technique where they impersonated IT support staff during phone calls, convincing employees to authorise malicious software connected to their Salesforce environment. This allowed the group to access and extract basic business contact details, most of which, Google says, were already publicly available, before the breach was detected and stopped.

Notably, the group behind the attack, UNC6040, is known for targeting Salesforce platforms by abusing tools like the “Data Loader” app, a legitimate application that allows bulk data handling. In many cases, the hackers use fake versions of this app with misleading names, such as “My Ticket Portal,” to avoid detection during the phishing calls.

In an evolving trend, the group has shifted from using official Salesforce tools to custom-made Python scripts for data theft, making it harder to trace their activity. They also reportedly use VPNs and the dark web network TOR to hide their identity and location.

Possible public data leak site in the works

Another linked group, UNC6240, has followed up on these data thefts with extortion attempts, often contacting company employees by email or phone, demanding bitcoin payments within 72 hours. These messages claim to be from the hacking group “ShinyHunters,” a name familiar in the cybercrime world.

Google’s threat intelligence unit believes the extortion group may soon launch a website to publicly leak stolen data, a common pressure tactic among cybercriminals.

The broader concern is that these attacks do not exploit flaws in Salesforce itself but rather human error, tricking employees into allowing access through seemingly routine IT support calls. Companies are being urged to tighten access controls, restrict permissions to sensitive tools, limit app installations, and train staff to recognise social engineering scams.