Google Admits Salesforce Breach, Joins Chanel & Allianz on ShinyHunters Victim List

A recent surge of persistent attacks targeting Salesforce CRM customer management systems has emerged—not due to vulnerabilities in the CRM platform itself, but rather through the exploitation of social engineering tactics to phish targeted organizations.

Among the latest victims are Allianz Life of North America, a subsidiary of the Allianz Group, and the French luxury brand Chanel. In these incidents, attackers successfully phished employee credentials, allowing them to exfiltrate sensitive databases and subsequently attempt extortion.

Google has now also issued a statement confirming that it fell victim to a similar attack. According to the company, the breach occurred in June 2025, and the threat actor—classified by Google as UNC6040—employed spear-phishing and social engineering techniques to obtain a critical credential from one of its employees.

Using the stolen credential, the attackers gained access to Google’s Salesforce CRM instance and managed to download parts of the database. Fortunately, Google detected the intrusion promptly, limiting the extent of the breach. The stolen data primarily consisted of publicly available information, such as company names and contact details.

As a result, the impact on Google was minimal—likely explaining why the company did not disclose the incident when it occurred in June. However, with the revelation of additional corporate victims, Google has now chosen to acknowledge the breach.

It is worth noting that UNC6040 is suspected to be linked to the notorious ransomware group ShinyHunters. This group is known for leveraging social engineering to obtain credentials, steal databases, and extort companies by threatening to publish the stolen data.

Should a targeted organization refuse to pay, the group has been known to release the databases publicly. Reports suggest that at least one victim has paid a ransom of four Bitcoin—approximately \$400,000 at the time of payment—to prevent data exposure.

In response to the growing wave of attacks, Salesforce has issued a series of security guidelines aimed at enhancing protection. However, these measures have had limited effect. The core issue lies not with the platform, but with the end users—many of whom lack technical backgrounds and possess weak cybersecurity awareness. Ultimately, improving security may require targeted training and awareness programs delivered by internal IT teams.

Related Posts:

• Allianz Life Suffers Data Breach: 1.4 Million Customers’ PII Compromised via Cloud CRM Social Engineering Attack
• UNC6040 Threat Actor Exploits Salesforce via Vishing and Malicious Data Loader Apps