Peter A Clarke

Google has suffered a data breach by the notorious Shinyhunters, which it classified as UNC6040. It is reported by Bleeping Computer with Google confirms data breach exposed potential Google Ads customers’ info and Google suffers data breach in ongoing Salesforce data theft attacks. What is interesting is that the hackers targeted employees in voice phishing, known as vishing. An attack via social engineering. Much like the now infamous Qantas data breach. 

The Google suffers data breach article provides:

Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group.

In June, Google warned that a threat actor they classify as ‘UNC6040′ is targeting companies’ employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying a ransom to prevent the data from being leaked.

In a brief update to the article last night, Google said that it too fell victim to the same attack in June after one of its Salesforce CRM instances was breached and customer data was stolen.

“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations,” reads Google’s update.

“The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off.”

“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”

Google is classifying the threat actors behind these attacks as ‘UNC6040’ or ‘UNC6240.’ However, BleepingComputer, which has been tracking these attacks, has learned that a notorious threat actor known as ShinyHunters is behind the attacks.

ShinyHunters has been around for years, responsible for a wide range of breaches, including those at PowerSchool, Oracle Cloud, the Snowflake data-theft attacks, AT&T, NitroPDF, Wattpad, MathWay, and many more.

In a conversation with BleepingComputer yesterday, ShinyHunters claimed to have breached many Salesforce instances, with attacks still ongoing.

The threat actor claimed yesterday to BleepingComputer that they breached a trillion-dollar company, and were considering just leaking the data rather than attempting to extort them. It is unclear if this company is Google.

As for the other companies impacted in these attacks, the threat actor is extorting them through email, demanding they pay a ransom to prevent the data from being publicly leaked.

Once the threat actor has finished privately extorting companies, they plan to publicly leak or sell data on a hacking forum.

BleepingComputer has learned of one company that has already paid 4 Bitcoins, or approximately $400,000, to prevent the leak of their data.

Other companies impacted in these attacks include Adidas, Qantas, Allianz Life, Cisco, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.

The article Google confirms provides:

Google has confirmed that a recently disclosed data breach of one of its Salesforce CRM instances involved the information of potential Google Ads customers.

“We’re writing to let you know about an event that affected a limited set of data in one of Google’s corporate Salesforce instances used to communicate with prospective Ads customers,” reads a data breach notification shared with BleepingComputer.

“Our records indicate basic business contact information and related notes were impacted by this event.”

Google says the exposed information includes business names, phone numbers, and “related notes” for a Google sales agent to contact them again.

The company says that payment information was not exposed and that there is no impact on Ads data in Google Ads Account, Merchant Center, Google Analytics, and other Ads products.

The breach was conducted by threat actors known as ShinyHunters, who have been behind an ongoing wave of data theft attacks targeting Salesforce customers.

While Google has not shared how many individuals were impacted, ShinyHunters says the stolen information contains approximately 2.55 million data records. It is unclear if there are duplicates within these records.

ShinyHunters further told BleepingComputer that they are also working with threat actors associated with “Scattered Spider, who are responsible for first gaining initial access to targeted systems.

“Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same,” ShinyHunters told BleepingComputer.

“They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake.”

The threat actors are now referring to themselves as “Sp1d3rHunters,” to illustrate the overlapping group of people who are involved in these attacks.

As part of these attacks, the threat actors conduct social engineering attacks against employees to gain access to credentials or trick them into linking a malicious version of Salesforce’s Data Loader OAuth app to the target’s Salesforce environment.

The threat actors then download the entire Salesforce database and extort the companies via email, threatening to release the stolen data if a ransom is not paid.

These Salesforce attacks were first reported by the Google Threat Intelligence Group (GTIG) in June, with the company suffering the same fate a month later.

Databreaches.net reported that the threat actors have already sent an extortion demand to Google. After publishing the story, ShinyHunters told BleepingComputer that they demanded 20 Bitcoins, or approximately $2.3 million, from Google to not leak the data.

“I don’t care about ransoming Google anyway, I just sent them a bogus email for the lulz of it,” said the threat actor.

ShinyHunters says they have since switched to a new custom tool that makes it easier and quicker to steal data from compromised Salesforce instances.

In an update, Google recently acknowledged the new tooling, stating that they have seen Python scripts used in the attacks instead of the Salesforce Data Loader.