Google confirms data breach after Salesforce database hack exposes customer data

Google has confirmed that a recent breach involved one of its Salesforce systems, which holds contact data for small and medium-sized businesses. The attack was executed by a cybercriminal group identified as UNC6040, which employs voice phishing, or 'vishing', to manipulate employees into granting access to sensitive resources. Using social engineering tactics, the attackers impersonated IT support staff during phone calls, persuading employees to authorize the installation of malicious software tied to their Salesforce environment. This breach enabled the hackers to gain access to and extract basic business contact information, most of which Google claims was already available publicly, before the situation was identified and contained. UNC6040 is particularly notorious for targeting Salesforce platforms, leveraging legitimate applications like the 'Data Loader' for bulk data management. However, their strategy involves creating counterfeit versions of these tools with deceptive names, such as 'My Ticket Portal,' to evade detection during their phishing attempts. Recently, the group has transitioned from using official tools to employing custom Python scripts for data theft, complicating efforts to trace their actions. Additionally, they reportedly utilize VPNs and the TOR network to obscure their identities and locations. Another associated group, UNC6240, has been linked to extortion efforts following these data thefts, reaching out to company personnel via email or phone with demands for bitcoin payments within 72 hours. These communications often claim to be from the hacking group 'ShinyHunters,' which is well-known in the cybercrime sector. Google's threat intelligence unit has expressed concern that the extortion group is likely to launch a website to publicly disclose the stolen data, a tactic commonly used by cybercriminals to exert pressure. The fundamental issue highlighted by this incident is that these attacks do not exploit vulnerabilities in Salesforce itself but rather capitalize on human error, tricking employees into granting access through seemingly normal IT support interactions. In light of these events, companies are being advised to enhance their access controls, restrict permissions to sensitive tools, limit application installations, and provide training for staff to better recognize social engineering scams.