Overview
- Google disclosed that one of its corporate Salesforce instances was breached in June by UNC6040, linked to ShinyHunters, resulting in the theft of basic business names and contact details
- Attackers employed voice phishing calls to trick employees into installing a fraudulent Salesforce Data Loader app that granted temporary access to the database
- After detecting the intrusion, Google’s Threat Intelligence Group performed an impact analysis, contained the breach and began mitigation measures
- A separate cluster, UNC6240, has used the stolen data to demand ransoms in bitcoin and is reportedly preparing a public data leak site to increase pressure on victims
- The broader ShinyHunters campaign has already targeted Adidas, Qantas, Allianz Life, Cisco and luxury brands such as Louis Vuitton and Dior, and more corporate disclosures are expected soon