In a recent data breach, Google has officially confirmed that a limited set of data from one of its corporate Salesforce instances was compromised. The breach affects potential Google Ads customers, and the exposed information includes basic business contact information such as business names, phone numbers, and related notes used by sales agents. Google has reassured customers that no payment information was exposed, and there is no impact on data within Google Ads accounts, Merchant Center, Google Analytics, or other Ads products. This event highlights the persistent threat posed by sophisticated cybercriminal groups targeting corporate infrastructure.
The breach was executed by a notorious threat group known as ShinyHunters, who have been involved in a series of data theft attacks against Salesforce customers. According to ShinyHunters, the stolen data contains approximately 2.55 million records. While it is unclear if there are duplicates within this number, the scale of the theft is significant. The group also revealed that they are working with another threat actor group, Scattered Spider, who are responsible for gaining initial access to the targeted systems. The groups now refer to themselves as “Sp1d3rHunters,” signifying their collaborative efforts and overlapping members in these attacks.
The modus operandi of the threat actors involves sophisticated social engineering tactics. They target employees to gain access to their credentials or trick them into linking a malicious version of Salesforce’s Data Loader OAuth app to the company’s Salesforce environment. Once they gain access, they download the entire Salesforce database. Following the data theft, the attackers typically extort the targeted companies via email, demanding a ransom to prevent the public release of the stolen data. This method of operation was previously highlighted by Google Threat Intelligence Group (GTIG) in June, and Google itself fell victim to this very same attack a month later.
In the case of Google, the threat actors reportedly sent an extortion demand, asking for 20 Bitcoins, which is approximately $2.3 million.
However, the motives behind the ransom demand appear to be somewhat complex. One of the threat actors told BleepingComputer that the ransom email was sent “for the lulz of it,” suggesting that the primary motivation might not be financial. This could be a tactic to mislead or simply a display of their capabilities. The ongoing nature of these attacks shows that threat actors like ShinyHunters are constantly evolving their methods and tools to breach corporate systems and steal sensitive data.
In a recent development, the threat actors have upgraded their tools to make their data theft operations more efficient. ShinyHunters stated they have switched to a new, custom tool that simplifies and accelerates the process of stealing data from compromised Salesforce instances. Google has also acknowledged this new tooling, observing that the attackers are now using Python scripts instead of the previously utilized Salesforce Data Loader. This shift indicates a continuous arms race between threat actors and cybersecurity professionals, where attackers are constantly developing new ways to bypass security measures and exploit vulnerabilities in corporate systems.
Reference: