Google and Salesforce: A Case of Digital Security Breach

In June, a significant cyber threat was discovered targeting Salesforce customers. Google announced a new campaign where threat actors were impersonating IT department staff to gain unauthorized account access. Surprisingly, two months later, Google itself revealed it became a victim of the same attack.

The cyber intrusions were perpetrated by threat actors with financial motives, aiming to extort companies by selling back their own data at exorbitant prices. Instead of leveraging software vulnerabilities, the attackers used social engineering tactics. High-profile companies such as Adidas, Qantas, Allianz Life, Cisco, and brands under LVMH, including Louis Vuitton and Dior, were reportedly affected.

The attackers capitalized on a functionality within Salesforce that allows integration with third-party applications. Employees were tricked into connecting an external app to their Salesforce accounts. During the process, attackers requested a security code, enabling them full access to the data.

Google's acknowledgment of their compromised Salesforce instance came after they analyzed the breach. They reported that data retrieved was mostly business contact information, which was primarily public. The attackers, identified as the group UNC6040, later linked their activities to another group known as ShinyHunters who are notorious for extortion and potential data leak sites.

This incident is a stark reminder for all Salesforce customers to audit their systems rigorously. Companies need to ensure that multifactor authentication is implemented, and staff are appropriately trained to recognize such scams before infiltration occurs.