Overview

• Google publicly acknowledged that UNC6040, known as ShinyHunters, infiltrated a corporate Salesforce CRM instance in June and stole approximately 2.55 million records of prospective Ads customer contacts.
• The exfiltrated data comprised business names, phone numbers and internal sales notes without exposing payment details or core Google Ads product information.
• After detecting the intrusion, Google’s Threat Intelligence Group severed unauthorized access, conducted an impact analysis and notified affected prospects.
• Investigators noted that attackers abandoned malicious Data Loader OAuth apps in favor of custom Python scripts to accelerate data extraction.
• ShinyHunters have rebranded as Sp1d3rHunters in collaboration with Scattered Spider, issued extortion demands and remain under active monitoring by Google security teams.