Google has become the latest high-profile victim in a sophisticated Salesforce data theft campaign orchestrated by the UNC6040 threat group, the same cybercriminal operation the company's own security researchers exposed just months earlier.
In a quiet update to its June threat intelligence report, Google revealed that one of its corporate Salesforce instances was compromised using identical voice phishing (vishing) tactics the company had warned others about. The breach occurred in June 2025, affecting a CRM system storing contact information for small and medium businesses.
"The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details," Google stated, emphasizing the limited scope of exposed information.
The attack follows the established UNC6040 playbook: cybercriminals impersonate IT support staff in convincing phone calls, manipulating employees into authorizing malicious applications disguised as Salesforce's legitimate Data Loader tool. This grants attackers extensive access to query and systematically extract sensitive corporate data.
What makes these campaigns particularly dangerous is their delayed monetization strategy. Extortion attempts often surface months after initial breaches, with attackers claiming affiliation with the notorious ShinyHunters ransomware group to maximize psychological pressure on victims.
The revelation that Google itself fell prey to the same tactics it documented highlights the sophisticated nature of these social engineering attacks. UNC6040 operators demonstrate remarkable skill in manipulating even security-conscious organizations through carefully orchestrated telephone-based deception.
Google's experience underscores that no organization is immune to advanced social engineering, regardless of technical security measures. The incident reinforces the critical importance of employee training in recognizing vishing attempts and implementing strict verification procedures for IT support requests.
Organizations using Salesforce should immediately review their connected applications, enable multi-factor authentication, implement IP restrictions, and establish clear protocols for verifying IT support communications through independent channels rather than callback numbers provided by potential attackers.