Last week, Google revealed that customer data had been stolen in a successful cyberattack.
While major data breaches are becoming more common, many raised an eyebrow as one of the world’s most powerful tech companies succumbed to the hack.
The attack occurred in June of this year and targeted a Google corporate database run by Salesforce.
A statement released by the Google Threat Intelligence Group (GTIG) confirmed that the database in question was “used to store contact information and related notes for small and medium businesses.”
“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off.
The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.
The attack is believed to have been orchestrated by the ShinyHunters ransomware group, also known as UNC6040: a well-established hacking collective.
Indeed, Cyber Security News is reporting that ShinyHunters has unofficially taken responsibility for the attack, claiming to have stolen approximately 2.55 million customer data records.
While no specific examples of these data records have been made public yet, the group’s typical strategy is to create a data leak site, which is used to target and extort victims with demands for bitcoin ransom payments.
In an update posted on the official GTIG blog on August 8th, the organization announced that it had “completed its email notifications to those affected by this incident.”
How the Attack Happened
When envisaging how the attackers went about infiltrating Google’s databases, you’d be forgiven for picturing some sort of technological wizardry.
However, it was actually voice phishing (vishing), one of the more traditional tools in the hacker arsenal, that was Google’s undoing.
Vishing is tried and tested for a reason. Rather than trying to navigate robust software defenses, the phone scam targets human vulnerabilities.
In this instance, the attackers posed as IT support staff to trick administrators into installing a malicious version of Salesforce Data Loader, disguised under names such as “My Ticket Portal.”
The genuine Data Loader is a trusted desktop tool capable of extracting, updating, or deleting Salesforce data, making it a powerful target.
The fake application mimicked the legitimate tool, reusing OAuth credentials to bypass consent screens and gain access to the organization’s backend.
From there, the attackers could quietly obtain sensitive data.
In discussing how the breach came about in a LinkedIn post, Anshul Verma, President of Cynoteck Technology Solutions, stressed:
This isn’t a Salesforce vulnerability – it’s a human-centric breach, exploiting trust and familiarity.
How to Stop Such Attacks from Happening to Your Business
Knowing how the attack happened is all well and good, but what really matters is figuring out how to prevent it from happening again.
Verma explains how, although companies like Salesforce have powerful security measures in place, these are of no use unless they are configured correctly.
In an extensive list of how to limit the likelihood of cyberattacks, he outlined the importance of only downloading software, tools, and apps from known sources.
Of course, this was the downfall of the Google hack. Had the customers checked directly with Salesforce, they would have discovered that Data Loader is available within the CRM itself, so there would have been no need to access it via a different source.
Verma is just one of many IT and security professionals who have spoken out following the confirmation of the breach.
Speaking in a Forbes article, Dray Agha, Senior Manager of Security Operations at Huntress, explained how any use of third-party vendors comes with risks, commenting:
Businesses must rigorously vet and continuously monitor all vendors with access to their data.
Agha also advocated for enhanced security awareness training and tighter access controls, particularly for cloud platforms managing sensitive customer data.
Although the Google incident wasn’t an especially sophisticated attack, in an AI era, hackers have more advanced weapons than ever before.
There is no doubt that the above advice will certainly limit the likelihood of an attack, but it is almost impossible to make your company completely bulletproof.
For most, it is no longer a case of will it happen, but when will it happen.
This is why businesses must also allocate time and resources to a best-in-class, fully tested Incident Response Plan.
After all, if it can happen to Google, it can happen to anyone.
