A massive wave of sophisticated cyberattacks is targeting companies that use Salesforce – and the tech giant Google have now confirmed that they too have been affected.
Big brands affected
International companies that Dior, Allianz, Adidas, Chanel, Pandora, Qantas, Air France and KLM have been victimsNow Google has also revealed that one of their Salesforce databases, with contact information for small and medium-sized businesses, was compromised in June 2025.
A growing threat: UNC6040 & social engineering in focus
Google Threat Intelligence Group (GTIG) has identified the hacker group as UNC6040They use an advanced form of social engineering where employees call pretending to be IT support (voice phishing or “vishingDuring the call, they are tricked into installing a fake version of Salesforce Data Loader via an app connection, giving attackers extensive access to both Salesforce and other cloud services such as Octa and Microsoft 365.
The infrastructure of the attacks shares characteristics with the loosely organized cybercriminal network “The Com“.
Data exfiltration and extortion
Google reports that around 20 organizations have been affected, and in several cases data has been exfiltrated. In some breaches, data has been extracted in small amounts before the asset was demolished – in other cases, entire database tables have been downloaded.
In some cases, the extortions have not begun until several months after the breach — often with actors claiming to represent the notorious group. ShinyHunters, which increases the burden of blame on the victim.
Google and Salesforce respond
Google has rushed to analyze and restrict access to the database and finds that only publicly available company information was stolen, such as names and contact information — but no sensitive data.
Salesforce emphasizes that the attack did not occur through vulnerabilities in their platform but through targeted manipulation of users. They point out that only a limited number of customers were affected and advise companies against installing unknown connected apps or entering codes without verification.
Security experts' recommendations — what should organizations do?
To resist this form of attack urges experts to a combination of training, technical measures and regular monitoring:
| Measure | Description |
|---|---|
| Education and awareness-raising | Educate employees about the risks of vishing and connected apps—especially Salesforce administrators. |
| Limited app permissions | Assign “API Enabled” and permissions to add connected apps only to necessary and trusted administrators. |
| Whitelist and connection control | Implement processes for approval, allowlisting, and monitoring of connected third-party applications. |
| IP and MFA protection | Implement IP restrictions, block access via commercial VPNs (e.g. Mullvad), and require multi-factor authentication (MFA). |
| Monitoring and automatic response | Use Salesforce Shield to detect unusual downloads, create transaction-based security policies, and review logs for anomalies. |
Swedish
English