Published 11 days ago • loading... • Updated 10 days ago

Hackers Are Using a Modified Salesforce App to Trick Employees and Extort Companies, Google Says

Hackers tracked as UNC6040 by Google have used modified Salesforce Data Loader apps in voice phishing attacks since early 2025 to steal data from companies in Europe and the Americas.
These attackers impersonate IT support, tricking English-speaking employees into approving malicious OAuth-connected apps via fake Salesforce setup pages to access corporate Salesforce environments.
After gaining access, UNC6040 exfiltrates data from Salesforce and other cloud platforms such as Okta, Microsoft 365, and Workplace, sometimes moving laterally within victim networks.
Approximately 20 organizations across retail, hospitality, and education sectors have been affected, with extortion attempts claiming ShinyHunters affiliation occurring months after initial intrusions, according to Google.
Google and Salesforce recommend restricting API permissions, limiting app installation, and improving security awareness to mitigate risks, noting no inherent platform vulnerabilities caused these incidents.

Insights by Ground AI

Does this summary seem wrong?

28 Articles

All

Left

Center

Right

CyberScoop

Center

Salesforce customers duped by series of social-engineering attacks

A financially motivated threat group posing as IT support has intruded the systems of about 20 organizations by duping employees into installing a malicious, illegitimate version of Salesforce’s Data Loader and granting broader access to cloud-based environments, Google Threat Intelligence Group said in a threat report released Wednesday. The attacks, which Google attributes to UNC6040, have hit organizations in hospitality, retail and education…

11 days ago

Read Full Article

U.S. News

Lean Left

Hackers Abuse Modified Salesforce App to Steal Data, Extort Companies ...

11 days ago·New York, United States

Read Full Article

CNN

Reposted by

KIFI

Lean Left

Hackers are using a modified Salesforce app to trick employees and extort companies, Google says

Hackers are tricking employees at companies in Europe and the Americas into installing a modified version of a Salesforce-related app, allowing the hackers to steal reams of data, gain access to other corporate cloud services and extort those companies, Google said on Wednesday.

11 days ago·Atlanta, United States

Read Full Article

The Star Kuala Lumpur

+2 Reposted by 2 other sources

Right

Hackers abuse modified Salesforce app to steal data, extort companies, Google says

(Reuters) -Hackers are tricking employees at companies in Europe and the Americas into installing a modified version of a Salesforce-related app, allowing the hackers to steal reams of data, gain access to other corporate cloud services and extort those companies, Google said on Wednesday.

11 days ago·Malaysia

Read Full Article

Bloomberg

Lean Left

Google Warns Hackers Stealing Salesforce Data From Companies

A hacking group has been impersonating IT personnel to break into companies’ Salesforce tools, using the access for data theft and extortion, according to a new report from Google’s threat intelligence group.

11 days ago·United States

Read Full Article

BleepingComputer

Center

Google: Hackers target Salesforce accounts in data extortion attacks

Google has observed hackers claiming to be the ShinyHunters extortion group conducting social engineering attacks against multi-national companies to steal data from organizations' Salesforce platforms.

11 days ago

Read Full Article

Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/year