Salesforce App Hijacked by Hackers: Google Reveals Data Exfiltration Exploit : Henry Martin

Salesforce App Hijacked by Hackers: Google Reveals Data Exfiltration Exploit
by: Henry Martin
blow post content copied from  Salesforce News | Salesforce Ben
click here to view original post



### Summary of the Content Hackers have successfully stolen data from various companies by deceiving employees into installing a fake version of a Salesforce app called the Data Loader. Discovered by Google's Threat Intelligence Group (GTIG), this attack involved a group known as UNC6040, which used voice phishing (or vishing) tactics to manipulate employees into downloading the malicious app. Here's how the attack unfolded: 1. **Deceptive Tactics**: Hackers contacted employees at multinational companies using Salesforce, tricking them into installing a fraudulent version of the Data Loader app. 2. **Data Access**: Once the app was installed, hackers gained significant access to sensitive company data, allowing them to extract information directly from Salesforce accounts. 3. **Extent of Breach**: The attackers used various methods to exfiltrate data, sometimes taking it in small chunks to avoid detection. After breaching Salesforce, they extended their attacks to other cloud services like Okta and Microsoft 365. 4. **Delayed Extortion**: There have been reports of extortion attempts occurring months after the initial hack, with hackers potentially selling stolen data to other cybercriminals for further exploitation. 5. **Security Concerns**: The incident raises serious concerns about the cybersecurity training provided to Salesforce administrators, who are crucial in managing access to sensitive data. Salesforce officials stated that the breach was not due to any vulnerabilities in their platform but was a result of targeted social engineering attacks. The incident serves as a reminder for organizations to strengthen their cybersecurity awareness and training, especially for employees with access to critical systems. ### Additional Context This incident highlights the growing sophistication of cyberattacks, particularly those that rely on manipulating human behavior rather than exploiting technical weaknesses. Organizations must prioritize cybersecurity training to equip their employees with the knowledge to recognize and respond to potential threats. ### Hashtags for SEO #Cybersecurity #DataBreach #Salesforce #Hacking #Vishing #SocialEngineering #CyberAwareness #DataProtection #TechNews #CloudSecurity #Extortion #InfoSec


Hackers have stolen large amounts of data by tricking employees at companies into installing a modified version of a Salesforce-related app, reports say.

Google’s Threat Intelligence Group (GTIG) discovered the hackers yesterday, claiming that a fake Salesforce Data Loader app tricked many across Europe and the Americas into exporting their company data to the group, according to Reuters.

How Did This Happen?

In what’s been described as an active campaign, the group of hackers – which Google have named as UNC6040 – tactically voice phished (Vishing) English-speaking branches of multi-national corporations that use Salesforce over phone calls to compromise their data by downloading this deceptive app. 

Google stressed that, in all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.

The hackers tricked victims into opening the connected apps setup page and entering a code, linking a malicious, attacker-controlled replica of the Data Loader app – a tool used for importing, exporting, and bulk managing Salesforce data – to their Salesforce environment, Reuters reported. 

Once downloaded by employees, this rogue app granted hackers extensive access, enabling them to query and exfiltrate sensitive data directly from compromised Salesforce customer accounts.

A researcher from GTIG told CSO: “In one instance, a threat actor used small chunk sizes for data exfiltration from Salesforce but was only able to retrieve approximately 10% of the data before detection and access revocation. In another case, numerous test queries were made with small chunk sizes initially. Once sufficient information was gathered, the actor rapidly increased the exfiltration volume to extract entire tables.”

After successfully breaching Salesforce, UNC6040 moved on to different cloud companies such as Okta, Microsoft 365, and Workplace, reports say. 

Researchers also noted that extortion attempts sometimes emerged months after the initial intrusion, with attackers claiming connections to the notorious ShinyHunters group, likely to amplify pressure. The delayed extortion hints that UNC6040 may be transferring or selling stolen data to other cybercriminals who then exploit it for extortion, resale, or additional attacks.

According to GTIG findings, UNC6040 could be part of a broader criminal ecosystem where multiple groups coordinate different stages of cyberattacks. This conclusion arises from observed similarities in tactics, techniques, and procedures between UNC6040 and threat actors associated with a loosely affiliated collective called “The Com,” which also includes Scattered Spider

A GTIG spokesperson said that companies have been impacted by the UNC6040 campaign, with a subset of them having their data already successfully exfiltrated. 

A Salesforce spokesperson spoke on the campaign, saying: “There’s no indication the issue described stems from any vulnerability inherent in our platform. [These] are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.” They also mentioned that this was not a “widespread issue”.

Salesforce Admins Targeted

Adding a new connected app requires elevated permissions that are typically assigned to a Salesforce administrator. The fact that multiple high-profile companies fell victim to such a social engineering attack raises serious questions as to the support and training that is being given to critical employees with the keys to Salesforce environments.

On the back of this, every CIO in the Salesforce install base should be considering investment in security training for their Salesforce team, and Salesforce administrators themselves should be asking themselves if they might be next. 

It doesn’t take much to imagine how Salesforce admins, proud of their accomplishments, advertising their skills on LinkedIn, could have been collected and systematically targeted as part of this exploit.

Final Thoughts

While this may not be Salesforce’s fault, it’s a stark reminder to remain diligent around what modern-day hacking looks like and the approaches these teams are taking to access company information.

For more information, check out Salesforce’s article on protecting your Salesforce environment from engineering hacks.

Have you been affected by the hack? Email us at [email protected]

The post Salesforce App Hijacked by Hackers: Google Reveals Data Exfiltration Exploit appeared first on Salesforce Ben.


June 05, 2025 at 07:38PM
Click here for more details...

=============================
The original post is available in Salesforce News | Salesforce Ben by Henry Martin
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================

Salesforce