Google Threat Intelligence has been at the forefront of tracking and reporting the major hacking campaigns by the ShinyHunters and Scattered Spider groups taking place this year, and it has now disclosed that one of Google’s own corporate Salesforce instances experienced a data breach earlier this summer. The news of its own Salesforce hack is also accompanied by a warning that there is now more clear evidence that ShinyHunters and Scattered Spider have formally joined forces, and that ShinyHunters is escalating to launching a data leak site to put added pressure on its victims.
Google adds itself to the list of Salesforce hacks
On August 5, Google Threat Intelligence updated its earlier June 4 post on the current ShinyHunters campaign with a note that an unspecified Google corporate branch experienced its own Salesforce hack sometime in June. It says that the attackers, presumed to be ShinyHunters, did successfully abscond with data but that it was limited to “basic and largely publicly available business (contact) information” for small and medium businesses during a “small window of time.” As of August 8, the researchers indicated that businesses impacted by the data breach were being contacted privately by email.
The story of the Salesforce hacks now dates back several months and begins with attack campaigns attributed to Scattered Spider, the group that ran wild with social engineering breaches in 2023 but was thought to be significantly crippled by arrests in the latter half of 2024. Some data breaches now credited to ShinyHunters were initially attributed to Scattered Spider; it turns out that is because the two groups have been working closely together, and may have in fact merged at some point recently.
The new information lines up with earlier reports, dating back to the beginning of the current Scattered Spider campaign, that the group had responded to its disruptive arrest wave by becoming more “fluid” and incorporating members of other cybercrime groups for temporary campaigns. The relationship between ShinyHunters and Scattered Spider in particular may be more solid and permanent, however. The Salesforce hacks indicate that Scattered Spider leverages its team of native English speakers to conduct phone-based phishing of target company employees, while ShinyHunters steps in after the initial compromise to conduct lateral movement and data exfiltration.
One key difference between the two groups to this point has been that Scattered Spider threatens its victims with public data dumping, while the Salesforce hacks have seen the attackers negotiate entirely in private and threaten to instead sell the stolen data off to private bidders. That may now be changing, however, as Google Threat Intelligence reports ShinyHunters is preparing to launch its own data breach site to publicly apply pressure to victims with the threat of leaks.
Extortion threats may come “months” after data breaches
The Google researchers are also warning that victims of the Salesforce hacks may not be extorted until months after the data breach actually takes place. To date, the ShinyHunters extortion technique has been a phone call to the victim demanding a Bitcoin payment within 72 hours or the stolen data will be put up for sale in underground markets. In the near future this may be changing to a more standard threat to dump the data to the general public via a leak site, should one appear.
ShinyHunters has been targeting a mix of industries with its Salesforce hacks, but has shown at least some predilection for the luxury goods market: jewelers Pandora and Tiffany and fashion brands Dior and Louis Vutton have all reported data breaches fitting the pattern. But it is also credited with recent attacks on Qantas, Adidas, Cisco and insurer Allianz Life among others. Salesforce has issued statements reassuring clients that its own systems are not compromised, and that the attack targets individual instances hosted on company networks. However, the attackers have demonstrated the ability to move laterally into other apps and platforms (such as Microsoft 365) once they establish access to a target’s local Salesforce.
On August 5 members of ShinyHunters granted an interview to BleepingComputer reporters in which they claimed that they have many more Salesforce hacks under their belts that have not been reported on yet and that they are still actively seeking out new targets. This is in spite of a new wave of arrests that seems to have picked up members of both groups in France and other locations. While Scattered Spider went quiet for much of 2024, ShinyHunters spent the year on a campaign of data breaches of numerous Snowflake cloud storage accounts that were fed by largely outdated but still valid login credentials captured from infostealer logs.
Darren Guccione, CEO And Co-Founder of Keeper Security, notes that cybersecurity teams must anticipate that both groups will continue to be highly active into the near future in spite of any news of disruptions that emerges: “The exposure of OAuth credentials and CRM workflows in this breach should prompt every organisation to reassess how trust is managed across their systems. Identity workflows, third-party integrations and token-based access have become high-risk vectors, often overlooked until it’s too late. This is a critical moment to re-evaluate those dependencies and close off the same attack paths before they’re exploited elsewhere. In today’s threat landscape, privilege is the new perimeter. Securing it requires more than static controls, it demands continuous visibility, least-privilege enforcement and real-time monitoring across every access point. These aren’t just technical measures, they’re strategic imperatives for modern cyber resilience.”
Randolph Barr, CISO at Cequence, provides additional insight into the technical details of the Salesforce hacks: “At a high level, the core security fundamentals continue to be the most common points of failure-particularly around credential hygiene, inconsistent MFA enforcement, and overlooked SaaS integration paths. The recent string of Salesforce CRM compromises illustrates how attackers are exploiting both technical misconfigurations and human factors to gain access and exfiltrate data.”
“There are two primary techniques being leveraged in these attacks. The first involves the use of infostealer malware. In these cases, attackers gain access by harvesting credentials from malware-infected devices. These credentials are then used to access cloud platforms like Salesforce and Snowflake, often through non-UI interfaces such as APIs or service accounts, where MFA enforcement is either weak or nonexistent. This type of compromise relies heavily on poor endpoint hygiene and gaps in identity and access management controls-particularly where organizations have failed to extend MFA to all access vectors, not just the user interface. The second technique, which appears to be the method used in Google’s case, involves vishing (voice phishing) attacks by a group tracked as UNC6040. Instead of using malware, these attackers call employees and use social engineering tactics to trick them into providing login credentials or approving MFA prompts. Once inside Salesforce, the attackers download customer data and then attempt to extort the company by threatening to release it. This method underscores the limitations of technical controls when human behavior becomes the attack surface.In Google’s situation, the stolen data was reportedly limited to publicly available information such as business names and contact details. However, the compromise vector remains concerning. It highlights that even when MFA is in place, it can be bypassed through social engineering or fatigue attacks, especially if organizations haven’t implemented additional safeguards like phishing-resistant MFA or step-up authentication. While Salesforce began enforcing MFA for UI logins in 2022, many organizations didn’t extend those protections to service accounts or custom integrations-creating blind spots that attackers are now actively exploiting. This ongoing campaign reinforces the need for holistic identity security that includes not just MFA, but consistent enforcement across all access paths and a strong focus on reducing human exploitability,” added Barr.
