216.73.217.80

Google Salesforce Breach: A Deep dive into the chain and extent of the compromise

· Published 03/09/2025 15:30 · Modified 03/09/2025 20:28

Export JSON

Essential information

Published
03/09/2025 15:30
Modified
03/09/2025 20:28
Tags
2025-09-03 cloud security data exfiltration oauth saas security salesforce social engineering tor vishing
Related entities
19 observables, 1 intrusion sets (apt), 12 techniques (mitre), 6 others

Description

In June 2025, Google's instance was breached by UNC6040 & UNC6240 using , app abuse, and anonymity layers. The attackers stole business data of small and medium-sized clients. A parallel attack by UNC6395 compromised Salesloft Drift's integration, affecting hundreds of customers. Both incidents involved sophisticated , token abuse, and via . The attacks are linked to the ShinyHunters group and share similarities with other high-profile breaches targeting various industries. The incidents highlight vulnerabilities in SaaS environments and the need for improved security measures, including governance, identity management, and proactive monitoring.

External references