Google Salesforce Breach: A Deep dive into the chain and extent of the compromise

Sept. 3, 2025, 8:28 p.m.

Description

In June 2025, Google's Salesforce instance was breached by UNC6040 & UNC6240 using vishing, OAuth app abuse, and anonymity layers. The attackers stole business data of small and medium-sized clients. A parallel attack by UNC6395 compromised Salesloft Drift's Salesforce integration, affecting hundreds of customers. Both incidents involved sophisticated social engineering, OAuth token abuse, and data exfiltration via TOR. The attacks are linked to the ShinyHunters group and share similarities with other high-profile breaches targeting various industries. The incidents highlight vulnerabilities in SaaS environments and the need for improved security measures, including OAuth governance, identity management, and proactive monitoring.

External References

https://www.seqrite.com/blog/google-salesforce-breach-unc6040-threat-research/
https://otx.alienvault.com/pulse/68b85f2d5e0366f13974b43e
Tags
social engineering
vishing
cloud security
data exfiltration
tor
oauth
2025-09-03
salesforce
saas security

Date

  • Created: Sept. 3, 2025, 3:30 p.m.
  • Published: Sept. 3, 2025, 3:30 p.m.
  • Modified: Sept. 3, 2025, 8:28 p.m.

Indicators

  • 38.135.24.30
  • 45.90.185.109
  • 37.114.50.27
  • 194.15.36.117
  • 45.90.185.107
  • 45.90.185.118
  • 45.90.185.115
  • 154.41.95.2
  • 176.65.149.100
  • 195.47.238.178
  • 195.47.238.83
  • 192.42.116.20
  • 185.130.47.58
  • 192.42.116.179
  • tutamail.com
  • tuta.com
  • ticket-nike.com
  • ticket-dior.com
  • ticket-audemarspiguet.com
Download all indicators here!

Attack Patterns

  • UNC6040, UNC6240

Additional Informations

  • Retail
  • Hospitality
  • Technology
  • Transportation
  • Finance
  • Telecommunications