Salesforce and Google Hit by Sophisticated Voice Phishing Attack
Google acknowledged in an update that a June intrusion into one of its corporate Salesforce instances briefly exposed sales records largely involving small and midsize businesses pursuing Google Ads. The company said data was retrieved “during a small window of time before the access was cut off,” and that it was “confined to basic and largely publicly available business information, such as business names and contact details,” language that aims to distinguish the episode from more sensitive account compromises.
The operation fits a pattern Google has tracked for months: voice-phishing schemes that coax employees into approving a malicious connected app capable of bulk exports from Salesforce. In its technical note, Google labeled the intrusion part of activity by a financially motivated group it calls UNC6040, and said a related cluster that has claimed the ShinyHunters name has handled subsequent extortion outreach-an escalation the company warned could include a public leak site, if history is any guide, according to the same update.
What was taken, and who was affected, remains only partly described. Google has not disclosed the number of organizations touched, but notifications seen by reporters emphasize basic business contact details and related notes and say there was no impact to product accounts such as Google Ads, Merchant Center or Analytics; those points were reviewed in coverage of the notices.
Soon after, the incident entered the well-worn cycle of pressure and rumor that follows many data thefts. Individuals using the ShinyHunters brand claimed they demanded 20 bitcoin to prevent the release of records-an assertion Google has not corroborated, first reported in on-the-record coverage that attributed the figure to the threat actors themselves.
Security guidance has, accordingly, turned pragmatic. Salesforce’s own advice urges administrators to gatekeep who can authorize connected apps, enforce strong multi-factor authentication, log OAuth scopes, and constrain logins by IP, measures intended to blunt the kind of phone-led social engineering Google described.
The disclosure moved quickly across social media, where large tech and security audiences amplified the news. One widely shared post on X captured the gist: even companies that study this very scam can be stung by it. That resonance speaks to the uncomfortable lesson of this summer’s campaign: when a convincing voice can authorize an app in minutes, the decisive control may be cultural rather than technical-who is allowed to say “yes,” and under what scrutiny.
