Google Discovers and Falls Victim to a New Scam
In June, Google revealed a widespread campaign targeting Salesforce customers, involving attackers posing as IT department personnel to gain immediate access to accounts. Surprisingly, Google itself became a victim of this scam.
The attacks, financially motivated, aim to steal data to sell back at exorbitant prices. Unlike exploiting software flaws, these scams use simple techniques—calling the target and asking for account access. The approach has been astonishingly successful, compromising companies such as Adidas, Qantas, Allianz Life, Cisco, and LVMH’s subsidiaries including Louis Vuitton, Dior, and Tiffany & Co.
Better late than never
The attackers manipulate a Salesforce feature allowing customers to link their accounts with third-party apps. Employees are tricked into connecting an external app to their Salesforce instance and providing an eight-digit security code required for the connection. This allows the attackers access to the instance and its data.
Google has confirmed its Salesforce instance was compromised in June, disclosing the breach only recently, likely due to the recent discovery. The retrieved data was restricted to business information, which Google stated was largely public.
Initially, Google attributed the attacks to a group identified as UNC6040. A second group, UNC6042 or “ShinyHunters,” has escalated to extortion tactics months after the initial breach.
“In addition, we suspect 'ShinyHunters' might intensify their extortion tactics by launching a data leak site (DLS),” warned Google. Such moves are likely to put more pressure on victims, particularly those affected by recent Salesforce-related breaches.
With numerous companies falling for the scam, including Google, it’s likely there are many more undisclosed victims. Salesforce users should carefully audit their external source connections, implement multifactor authentication, and train staff to recognize scams early.
Dan Goodin, Senior Security Editor at Ars Technica, provides comprehensive coverage of security issues. Contact him via Signal at DanArs.82 and follow him on Mastodon and Bluesky.
