Google revealed on Tuesday that one of its corporate Salesforce instances was targeted by threat actors. The attack appears to be part of a campaign that has hit several major companies.
The tech giant said its Salesforce instance was targeted in June and attributed the activity to a threat group tracked as UNC6040.
Google said the hackers obtained contact information and related notes for small and medium businesses from the compromised environment.
“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google explained. “The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”
Google warned in early June that UNC6040, a threat actor specializing in voice phishing, had targeted Salesforce customers in a large-scale data theft and extortion campaign.
Google reported at the time that it had found links to the notorious cybercrime groups Scattered Spider and ShinyHunters. The attack on its own Salesforce instance was disclosed in an update to the blog post describing the UNC6040 attacks, and the company has now reiterated the apparent link to ShinyHunters.
According to the tech giant, UNC6040 is responsible for the initial intrusion, while a different activity cluster, tracked as UNC6240, is responsible for extortion attempts, which sometimes are initiated months after the initial data theft.
“The extortion involves calls or emails to employees of the victim organization demanding payment in bitcoin within 72 hours. During these communications, UNC6240 has consistently claimed to be the threat group ShinyHunters,” Google said.
“In addition, we believe threat actors using the ‘ShinyHunters’ brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS). These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches,” it added.
Bleeping Computer reported — based on information from ShinyHunters — that the recent data breaches disclosed by Adidas, Allianz Life, Cisco, Dior, Louis Vuitton and others are the result of the same Salesforce hacking campaign.
Jewelry store Pandora also disclosed a data breach this week and the company was reportedly a target of the same campaign.
Salesforce pointed out that its systems have not been compromised and the attacks do not exploit any vulnerability in its platform. The company suggested that the recent attacks are the result of sophisticated phishing and other social engineering attacks targeting its customers.
DataBreaches reported recently that ShinyHunters appears to have merged with Scattered Spider.
Several alleged members of both ShinyHunters and Scattered Spider have been arrested over the past year.
Related: Over 1 Million Impacted by DaVita Data Breach
Related: NASCAR Confirms Personal Information Stolen in Ransomware Attack
