The Wiz transaction is the largest ever sought by Google or parent Alphabet Copyright AFP/File Josh Edelson
Google has become the latest victim in extortion group ShinyHunter’s exploitation of Salesforce databases, as the tech giant has disclosed a breach of company data. Google stated the information stolen is largely publicly available, while ShinyHunters maintains the data is more valuable than Google claims.
Salesforce, a leading cloudbased software company, is a frequent target of cyberattacks, including social engineering scams, phishing attacks, and data breaches.
ShinyHunters is a blackhat criminal hacker group that is believed to have formed in 2020. ShinyHunters have stolen the information of multiple major corporations, including Adidas, Cisco, Dior, and now Google. To learn more about the issue, head from Randolph Barr, CISO at Cequence.
Barr begins his assessment by considering the modalities that can help to establish system flaws: “At a high level, the core security fundamentals continue to be the most common points of failure—particularly around credential hygiene, inconsistent MFA enforcement, and overlooked SaaS integration paths. The recent string of Salesforce CRM compromises illustrates how attackers are exploiting both technical misconfigurations and human factors to gain access and exfiltrate data.”
In terms of what cybercriminals do, Barr identified a twin process, as he explains: “There are two primary techniques being leveraged in these attacks. The first involves the use of infostealer malware. In these cases, attackers gain access by harvesting credentials from malwareinfected devices.”
As to what happens next: “These credentials are then used to access cloud platforms like Salesforce and Snowflake, often through nonUI interfaces such as APIs or service accounts, where MFA enforcement is either weak or nonexistent. This type of compromise relies heavily on poor endpoint hygiene and gaps in identity and access management controls—particularly where organizations have failed to extend MFA to all access vectors, not just the user interface.”
With the other process, Barr finds: “The second technique, which appears to be the method used in Google’s case, involves vishing (voice phishing) attacks by a group tracked as UNC6040. Instead of using malware, these attackers call employees and use social engineering tactics to trick them into providing login credentials or approving MFA prompts. Once inside Salesforce, the attackers download customer data and then attempt to extort the company by threatening to release it.”
This leads to the key risk: “This method underscores the limitations of technical controls when human behaviour becomes the attack surface.”
Linking these processes back to Google, Barr identifies: “In Google’s situation, the stolen data was reportedly limited to publicly available information such as business names and contact details. However, the compromise vector remains concerning. It highlights that even when MFA is in place, it can be bypassed through social engineering or fatigue attacks, especially if organizations haven’t implemented additional safeguards like phishingresistant MFA or stepup authentication.”
Expanding further on the weakness that led to the issue, Barr notes: “While Salesforce began enforcing MFA for UI logins in 2022, many organizations didn’t extend those protections to service accounts or custom integrations—creating blind spots that attackers are now actively exploiting.”
Bridging this towards what needs to be done going forwards, Barr says: “This ongoing campaign reinforces the need for holistic identity security that includes not just MFA, but consistent enforcement across all access paths and a strong focus on reducing human exploitability.”
