Labels

Google Confirms Data Breach — Notifying Users Affected by the Cyberattack By CyberDudeBivash — Cybersecurity & AI

 


Executive summary

Google has confirmed a breach of one of its Salesforce CRM instances after a targeted campaign by the ShinyHunters / UNC6040 group. Stolen data relates to business contacts and notes (e.g., names, company details, emails, phone numbers) for current and potential customers—particularly Google Ads/Cloud prospects. Google says the intruders had access only for a short window before being cut off, and impacted customers have been notified by email (notifications were reported completed on August 8, 2025). TechCrunchSecurityWeekBleepingComputer+1Cyber Security News

What exactly happened (timeline)

  • Early June–July 2025 — Google warns of a broader campaign stealing Salesforce CRM data from multiple companies, tracked as UNC6040, a voice-phishing (vishing) actor. SecurityWeek

  • August 6, 2025 — Multiple outlets report Google confirmed a compromise of a corporate Salesforce database containing business contact information; attribution to ShinyHunters/UNC6040. TechCrunchAxiosBleepingComputer

  • August 8–10, 2025 — Google’s customer notifications complete; follow-up coverage confirms the emails and scope (business leads/Google Ads prospects). ForbesBleepingComputerCyber Security News

Google’s statement emphasized the data was “basic and largely publicly available business information” and access was cut off quickly. Even so, CRM data is highly valuable for targeted phishing and social engineering. SecurityWeek

Likely intrusion path

Reporting around the campaign indicates voice-phishing (vishing) and social engineering were used to obtain employee access to Salesforce, then mass-export contact records. This fits UNC6040 tradecraft previously observed against Salesforce customers. SecurityWeekmint

Why Salesforce? CRM systems centralize validated business identities (names, roles, direct emails, phone numbers, spend, renewal dates)—gold for follow-on BEC/phishing and partner-supply-chain scams.

What data was exposed?

From Google’s and independent reports:

  • Business contact details: names, company names, work emails/phones, lead notes; no passwords or consumer Gmail content indicated.

  • Potential focus on Google Ads/Cloud business leads (prospective/SMB customers). SecurityWeekBleepingComputer

Primary risk: high-credibility phishing (invoice fraud, renewal/ads billing scams), vishing callbacks, and account-takeover attempts against Ads and Cloud admin users.

Who is affected?

  • Individuals and companies who engaged Google sales/Ads/Cloud and whose details sat in the affected Salesforce org.

  • Press reports note ongoing, industry-wide Salesforce data-theft campaigns, not limited to Google. BleepingComputer

Immediate actions (for Ads/Cloud customers & partners)

  1. Treat any email/call “from Google” as suspect—verify via your console contacts; don’t act on payment link changes received by email.

  2. Lock down Ads/Cloud admin access:

    • Enforce passkeys/FIDO2 or at least phishing-resistant MFA.

    • Rotate API keys and OAuth client secrets tied to Ads/Cloud automations.

    • Review user roles and remove stale agency/partner access.

  3. Enable alerts & logging:

    • Google Ads: alert on billing profile changes; monitor user invites/role changes.

    • Google Cloud: monitor IAM role grants, new keys, and project-wide policy edits.

  4. Outbound email/security awareness: brief finance & marketing teams on phishing lures that reference your real Google reps/renewals.

(These steps mitigate the highest-likelihood follow-on attacks given CRM data exposure.)

Detection engineering: rules you can deploy today

A) Identity & access anomalies (Google Cloud / Okta)

KQL (Sentinel) example:

kql
// New high-privilege role grants
CloudAuditLogs
| where OperationName has_any ("setIamPolicy","roles.create","serviceAccountKeys.create")
| extend actor = tostring(parse_json(AuthenticationInfo).principalEmail)
| summarize count() by actor, OperationName, bin(TimeGenerated, 1h)
| where count_ > 0

B) Google Ads admin changes

  • Alert on new admin invites, billing profile edits, payment method changes, and API token refreshes close in time to suspicious emails/calls.

C) BEC/phishing lures

Correlate inbound email subjects referencing “Google Ads suspension/overdue,” “payment verification,” “account optimization” with new vendor/billing changes within 24–72 hours.

Threat intel & hunting tips

  • Monitor for look-alike domains spoofing Google reps (e.g., @goog1e-sales[.]com).

  • Track callback numbers sent in emails (common vishing TTP).

  • Enrich any sender domains/IPs with CTI; prioritize those tied to ShinyHunters/UNC6040 campaigns. SecurityWeek

Security posture improvements for Salesforce customers

  • SSO + phishing-resistant MFA for Salesforce; IP allow-listing for admin profiles.

  • Field-level & report-level DLP: restrict exports of contact lists; watermark and alert on bulk exports.

  • Event Monitoring/Shield: alert on mass report runs, API bulk queries, new connected apps, and token grants.

  • Least privilege for sales roles; expire old partner/agency accounts automatically.

  • Audit integrations (ETL/BI tools) that can read entire objects (Lead/Contact/Opportunity).

What Google has said publicly (key points)

  • Confirmation of breach of a Salesforce database used for business contacts.

  • Attribution to ShinyHunters / UNC6040 amid a broader Salesforce-targeted data-theft/extortion wave.

  • Short access window; notifications sent to affected customers.

  • Data characterized as basic, largely public business info, not consumer Gmail data. TechCrunchBleepingComputerSecurityWeekForbes

Bottom line

This incident is a classic CRM-data → social-engineering pivot. Even if contents appear “basic,” curated business contact records dramatically increase phish credibility. Harden identity, watch for admin/billing changes in Ads/Cloud, and clamp down Salesforce export paths.

Labels:

Comments

Post a Comment