ShinyHunters Breach Google’s Salesforce Instance
Cybercriminal group ShinyHunters (also tracked as UNC6040) has struck again — this time targeting Google. The tech giant confirmed that the group accessed one of its corporate Salesforce instances used for business customers, but stressed that the stolen data was minimal in sensitivity.
According to Google’s statement, the incident took place in June and was part of the same campaign outlined in the company’s broader breakdown of ShinyHunters’ tactics. The attackers reportedly retrieved only “basic and largely publicly available business information, such as business names and contact details.”
A Low-Tech, High-Success Approach
As reported on Tech Radar, ShinyHunters has built a reputation for breaching corporate Salesforce environments by impersonating employees over the phone. They typically call IT support, claim to have lost access to their accounts, and persuade staff to reset credentials — granting them unauthorized access.
While the social engineering method might sound simple, it’s proven highly effective. Multiple organizations have recently reported data theft via the same playbook.
No Word on Ransom Demands
Google has not disclosed how many customers were affected and declined to confirm whether the attackers issued a ransom demand.
One of the Most Active Data Theft Groups
ShinyHunters is currently among the most active and successful threat actors in the cybercrime space. In recent weeks, they’ve claimed responsibility for breaches at Pandora, Allianz Life, AT&T, Santander, and Ticketmaster, among others.
Unlike traditional ransomware operators, the group doesn’t encrypt files. Instead, they focus purely on data exfiltration — a trend becoming more common as some ransomware groups pivot away from costly and complex encryption operations.