Google Breached — What We Know, What They’re Saying
‘ShinyHunters’ group hacked big-G and stole a load of customer data from a Salesforce cloud instance.
This week, Google finally admitted it got socially engineered—leading to a breach of CRM data. Yes, you read that right: Google got vished.
Do the scrotes have your info? We don’t know and Google’s not saying.
What’s worse is this happened a couple of months ago. In today’s SB Blogwatch, we wonder why it took Google so long to tell us.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: DEF CON 33 tips.
GOOG CRM PII AWOL
What’s the craic, Zack? Mr. Whittaker reports: Google says hackers stole its customers’ data by breaching its Salesforce
“Trick company employees”
Google … said one of its Salesforce database systems, used to store contact information and related notes for … businesses, was breached by a hacking group popularly known as ShinyHunters, formally designated as UNC6040. … It’s not clear if the company has received any communication, such as a ransom demand. … Google spokesperson Mark Karayan declined to comment.
…
The ShinyHunters group relies on voice phishing techniques to trick company employees into granting them access to their cloud-based Salesforce databases. … This is the latest in a series of breaches targeting Salesforce cloud systems, [including at] Cisco, … airline giant Qantas, [and] retail giant Pandora.
More info please. Lawrence Abrams obliges: Google suffers data breach in ongoing Salesforce data theft attacks
“Ongoing wave of Salesforce CRM data theft attacks”
ShinyHunters has been around for years, responsible for a wide range of breaches, including those at PowerSchool, Oracle Cloud, the Snowflake data-theft attacks, AT&T, NitroPDF, Wattpad, MathWay, … Adidas, Qantas, Allianz Life, … Louis Vuitton, Dior, and Tiffany. … The threat actor claimed yesterday … that they breached a trillion-dollar company, and were considering just leaking the data rather than attempting to extort them. It is unclear if [they meant] Google.
…
Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group. … Google is classifying the threat actors behind these attacks as ‘UNC6040’ or ‘UNC6240.’ However, [we’ve] been tracking these attacks; … ShinyHunters is behind [them].
Horse’s mouth? Anonymous Googlers keep it brief and vague: From Voice Phishing to Data Extortion
“UNC6040”
In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity. [We] performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses.
…
[The] data was retrieved by the threat actor during a small window of time before the access was cut off. The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details. … We believe threat actors using the ‘ShinyHunters’ brand may be preparing to escalate their extortion tactics by launching a data leak site.
…
[We’ve] observed an evolution in UNC6040’s TTPs. … The updated attack chain involves a voice call to enroll a victim, which the threat actor initiates while using Mullvad VPN IPs or TOR. Following this initial engagement, the data collection is automated and through TOR IPs.
“Small” window? “Largely” basic? That don’t impress sunaookami much:
I despise communication like this: “It doesn’t really matter. It was just a very very very small portion of users with uninteresting data!”
…
Is it some kind of legal thing? Does an actual apology open them up for lawsuits or what?
Why are Googlers falling for this scam? Anyone is vulnerable, thinks Jwzbb:
When a good enough social engineer hits you, you will fall for it. This is not your average scam, but a well planned and orchestrated attack. You can bet these people would research you for months and know what drives you and what scares you. You probably spoke with them months ago when they posed as a hiring manager for a job tripling your pay in which you gave tiny details about what would make you jump ship and why.
And what of these “mitigations”? Mr. Barky has more questions than answers:
Google mitigations—as effective as the CIA? Google has become so powerful. I wonder what those mitigation might actually be. I bet that they will figure out who did this. I wonder how ruthless they might be when someone attacks them.
Why is the mighty Google using Salesforce, rather than an internal CRM tool? wferrell has the inside track:
They had an internal CRM. It was buggy, missing key features and engineers didn’t really want to work on it. … I think the real reason was there was no path to promotion for working on this. For better or worse, the incentives were not aligned for great work to happen.
But ChainsawBologna finds it “amazing”:
Salesforce is hot garbage. Amazing a software company that was once high caliber wouldn’t have rolled their own.
Meanwhile, this Anonymous Coward jumps a cognitive leap:
We have contact information for Google employees? Quick! Create all the backlogged support requests that you could never find a support line for! Now’s our chance!
And Finally:
CW: Alcohol use; a few mild swears; OCD-triggering kitchen drawers
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Sascha Bosshard (via Unsplash; leveled and cropped)
