Google Salesforce Breach: A Deep dive into the chain and extent of the compromise
Essential information
- Published
- 03/09/2025 15:30
- Modified
- 03/09/2025 20:28
- Tags
- 2025-09-03 cloud security data exfiltration oauth saas security salesforce social engineering tor vishing
- Related entities
- 19 observables, 1 intrusion sets (apt), 12 techniques (mitre), 6 others
Description
In June 2025, Google's Salesforce instance was breached by UNC6040 & UNC6240 using vishing, OAuth app abuse, and anonymity layers. The attackers stole business data of small and medium-sized clients. A parallel attack by UNC6395 compromised Salesloft Drift's Salesforce integration, affecting hundreds of customers. Both incidents involved sophisticated social engineering, OAuth token abuse, and data exfiltration via TOR. The attacks are linked to the ShinyHunters group and share similarities with other high-profile breaches targeting various industries. The incidents highlight vulnerabilities in SaaS environments and the need for improved security measures, including OAuth governance, identity management, and proactive monitoring.