Google admits ShinyHunters steal data in Salesforce hack: 'The data retrieved by the threat actor was...'

Google has confirmed that a cyber criminal group broke into its Salesforce database. The tech giant said that hacking group popularly known as ShinyHunters, formally designated as UNC6040 is behind the breach. The company’s Threat Intelligence Group published a blog post saying “In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity”. However, it did not reveal the number of customers affected by the hack. “Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off. The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,” the company said.The blog post said that Google Threat Intelligence Group (GTIG) has observed an evolution in UNC6040's TTPs. While the group initially relied on the Salesforce Dataloader application, they have since shifted to using custom applications. These custom applications are typically Python scripts that perform a similar function to the Dataloader app. As explained in the post, the updated attack chain involves a voice call to enroll a victim, which the threat actor initiates while using Mullvad VPN IPs or TOR. Following this initial engagement, the data collection is automated and through TOR IPs, a change that further complicates attribution and tracking efforts. GTIG observed that the threat actor shifted from creating Salesforce trial accounts using webmail emails to using compromised accounts from unrelated organizations to initially register their malicious applications.