Confederation of the UNCs – A Brief Look into A Series of the Salesforce Data Theft Exploit

CAUTION: This post is most-likely riddled with a prematurely conceived notion of someone who thinks they can fix cybersecurity for the defenders (we have a lot of those, don’t we?), but hear me out and approach this from the point of view of someone who genuinely wants to work with another person (and another person, and another person) to discuss the very essence of cybersecurity, and how it could positively affect our daily lives.

Overview

As you may already know, a lot of companies; multinational and small to medium companies alike; adopt the use of Customer Relationship Management Systems (CRMs) to interact with their end users and ultimately store customer data through these systems. Salesforce is a popularly adopted tool for most of them; so one can infer that a lot of companies use Salesforce, right? Right.

In fact, according to an August 2025 article, Salesforce holds the largest CRM adoption in the market, for the seventh consecutive year, to a tune of 19.8% in the world, ahead of Oracle, SAP, Adobe and Microsoft. With these impressive stats, one would expect that they would be exempt from data thefts and exploits, right? Unfortunately, wrong. As we have seen so far from reading through our colleagues’ blogposts, no one is immune from being hacked.

This post will take a really brief look into a data theft that seems to have been targeted towards the CRM outfit of the company Salesforce and has affected several of their clients. I will also share my thoughts and recommendations based on research.

To avoid boring you, I’ll keep my analysis to Salesforce and data privacy specifically so we don’t end up spending 20 years reading my post alone (looking forward to your comments – hopefully praising me and telling me how I would end up carrying cybersecurity on my back, and how you revere my courage to sift through millions of articles to get here – but I digress).

Super short Anatomy of the Breach – an example from the Google Exploit

The Google breach became the highest-profile example of this method. In June 2025, attackers compromised a corporate Salesforce instance used to manage prospective Google Ads customer information. Attackers exposed approximately 2.55 million records, including business names, phone numbers, and sales follow-up notes. This is data with high value for phishing and fraud campaigns. Google stated that the data was largely public-facing and unrelated to Ads product systems, but the incident showed how attackers can weaponize even ‘non-sensitive’ CRM data once they exfiltrate it. GTIG confirmed the breach was part of the UNC6040/ShinyHunters activity, with custom tools used to accelerate Salesforce data extraction.

The attackers combined three core vectors:

• Voice‑phishing (vishing) – The IT staff was impersonated in a convincing phone call, persuading a Google employee to approve a malicious application connected to Salesforce, a rapid‑reply extortion scheme demanding Bitcoin payments within 72 hrs.
• OAuth app abuse – they then deployed custom Python scripts that emulated Salesforce’s Data Loader, allowing automated bulk exports.
• Anonymity layers – Mullvad VPN‑initiated calls followed by TOR‑based data exfiltration, which anonymized the actors’ true location (SEQRITE Blog, 2025).

The group behind this exploit has been revealed to be the ShinyHunters, a.k.a the UNC6040, a.k.a UNC6240, UNC6395 or UNC5537 depending on the victim. That said, every victim has one thing in common: data theft via the CRM.

Confirmed Salesforce CRM-related breaches in 2025 so far (Source)

• Google: breach disclosed in August but traced to activity in June. Targeted Salesforce CRM instance used for prospective Google Ads customer data. Impacted records included basic business contact details and related sales notes for SMB customers.
• Salesloft-Drift hack: Attackers stole OAuth tokens through the Drift integration, leading Salesforce to shut down all Salesloft connections. The stolen tokens were then used to pull data directly from Salesforce accounts. Confirmed victims include security companies like Zscaler, Palo Alto Networks, Proofpoint, Tenable, Qualys and Cloudflare.
• Workday: July disclosure of a third-party CRM breach exposing business contact data (names, emails, phone numbers). While Salesforce was not named, the case reflects how attackers target high-value SaaS and identity data to enable further exploits.
• Allianz Life: Similarly, a July breach via a third-party cloud CRM impacted 1.4 million customers. Tied to social engineering tactics seen in the Salesforce campaign.
• LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Adidas: late July disclosures tied to the same Salesforce-focused campaign. (Court filings in the Qantas case referenced Salesforce objects like Accounts/Contacts.)
• Chanel: activity detected July 25, disclosed Aug 4; personal contact data exposed; tied to the same wave of Salesforce data-theft extortion.
• Farmers Insurance: May breach via a third-party database exposed data of 1.1 million customers (names, addresses, driver’s license details, partial SSNs). Linked to the broader vishing campaign.
• Coca-Cola (Middle East): disclosed May; data leak affecting ~1,000 employees in UAE, Oman, and Bahrain. Salesforce file access was reported to be part of the chain.
• Coca-Cola Europacific Partners (CCEP): breach exposed over 23M Salesforce records (accounts, cases, contacts, products) via dashboards.
• UK retailers (M&S, Co-op, Harrods): May ransomware/data theft incidents; similar social-engineering and access-abuse tactics were observed.
• Aviation sector (Hawaiian Airlines, WestJet, KLM, Air France): targeted June–July. While not confirmed as Salesforce compromises, the entry methods (help-desk manipulation, MFA bypass) mirror those used in CRM breaches.

This data theft exploit seems like a very targeted data theft campaign aimed at Salesforce’s clients, who also mostly happen to be large companies that we all know; which begs the question (at least for me): why? Why does a company like Salesforce seem to be an easy target with a product that is very well known and majorly adopted for end user data management?

The answer is straightforward: Salesforce is one of the biggest SaaS companies that handles sensitive customer information, and access to these kinds of data create a beautiful loop of “collecting” on royalties for adversaries. It’s been so bad this year that the FBI has issued a FLASH alert to companies alike so that they can tighten their systems against these kinds of attacks.

When companies agree on what their security architecture looks like, they surely are not able to consider the level of security that their vendors’ products have. Though they do their due diligence prior to doing business with these vendors, the onus is on both parties to determine the level of acceptable risk that the relationship would bring.

Why is this considered a threat?

Since people make up an organization, they sometimes represent the entry point into gaining access to a company’s sensitive information or even proprietary products and these days, the lines are beginning to blur between people’s personal and corporate lives, whereas security is important for both.

With social engineering still going strong (and developing a very hard coconut head in the process), people are sadly still the weakest link to security but also the most important component to the very thing that security stands for. For adversaries, there are lots of possibilities to selling people’s data. They could range from using these data to gain information for the purpose of laterally moving through a person’s life as if elevating privileges in a network, to even causing people to lose their lives in extremely dangerous ways.

At the heart of this exploit is social engineering through voice phishing, and this would not have been possible without people at its helm. I certainly am not placing blame because these things can happen to anyone including me, but where do we go from here? Security training in companies is being adopted more, however what happens when people log out for the day? How does the company ensure that its assets doesn’t bleed through its defenses for an employee who also uses their personal phone for work, for example?

Seeing the alarming number of clients that have been affected by this theft, as well as the need to make sure that data is secure, I wonder if Salesforce has any plans in place to update the features of their CRM product to include the protection of data in some way, to prepare for a contingency like the event of a data theft.

Thoughts on what a warped journey this is, its effect on privacy, and more thoughts from me

Cryptography embodies secrecy and secrecy is the big brother of privacy (at least that’s my own layman way of looking at it). We all have the right to choice when it comes to revealing anything about ourselves. I believe that everyone’s personal data is sensitive, and the utmost care should be applied when handling it. Revealing this data should be at our own discretion and approval, and whoever is protecting them should also do so with the highest priority in mind.

Stealing or accessing a person’s information without permission is absolutely deplorable, and sadly, the way we feel about it is not strong enough to stop it.

So I’m just here wondering if we should edit our defense strategy to include planning for contingencies. If after we literally build our defenses to be as formidable as Alcatraz, adversaries still gain access to our data and steal them, how do we make sure that the stolen data is totally unusable and we can picture them letting out a frustrated yell because all their plans turned to ashes? If the tables were turned, that’s how they’d like us to feel, right? Since adversaries are always looking to break our defenses, could we also look into sending them on journeys of no return endless frustrations?

To give a possibly naive and unsolicited opinion, perhaps Salesforce could improve their CRM product with an update that includes the ability hash or mask customer data as a form of defence-in-depth or privacy preserving cryptography in their clients’ adoption of the product? This new feature would support dynamic data masking specifically. I’m being specific about the ‘dynamic’ part because, while researching materials for this post, I stumbled upon a Salesforce community post where someone asked about Salesforce using static data masking for its CRM and the response was that they didn’t use it for live production environments since the original data would be affected. For this reason, they only made static data masking possible in a sandbox environment.

The good thing about dynamic data masking is that it does ensure that the raw data is well preserved especially in a live production environment, by only showing masked results to unauthorized users. This may not sound like much, but it could be a good first step into creating a form of defence around storing customer data. Also, since Salesforce already uses dynamic data masking for their Data Cloud product, this update should be considered possible to implement, all things considered.

Even though they may never get to see this post, I’m sending the Salesforce Team lots of great ideas to hopefully put a final end to this Campaign of the UNCs forever!

Recommended Mitigations

1. As this is company based, a good recommendation would be for companies to review how they store data, and tighten their data privacy policies both internally and in collaboration with their vendors
2. Companies should regularly review accesses/privileges to make sure that the principle of least privilege stays true in terms of Identity and Access
3. Any Intrusion Detection approach should be combined with Intrusion Detection to ensure rapid response and resolution of potential breaches
4. Constant education does help, so security awareness training materials should be updated, revamped and refreshed for employee usage. A welcome addition to this would also be to have this content include maintaining security even outside the workplace
5. Learn from other people’s incidents and yours, then use the knowledge to strengthen incident response processes.

Conclusion

No one is immune to privacy and security breaches, Cryptography can be that flavour to help defenses taste better, and I sincerely hope that someday soon, we can truly approach the word “security” with a lot of flair and success.

Thank you for making it this far. Your time is truly invaluable to me, and I wish you the highest of scores!

References:

https://tech.slashdot.org/story/25/08/06/1556252/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks

https://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks

https://www.cybersecuritydive.com/news/fbi-warns-campaigns-salesforce-instances/760129

https://www.seqrite.com/blog/google-salesforce-breach-unc6040-threat-research

https://cloudprotection.withsecure.com/blog/salesforce-attacks-in-2025

https://heydata.eu/en/magazine/google-salesforce-hack-shinyhunters-risks

https://www.datasunrise.com/knowledge-center/dynamic-data-masking/#:~:text=Dynamic%20data%20masking%20is%20a%20real%2Dtime%20technique,to%20unauthorized%20users%E2%80%94without%20modifying%20the%20source%20database.

https://www.nutshell.com/blog/data-privacy-and-compliance#:~:text=When%20using%20a%20CRM%20to%20collect%20and,of%20customers%2C%20employees%2C%20and%20the%20business%20itself.

https://help.salesforce.com/s/articleView?id=data.c360_a_dynamic_data_masking_policies.htm&type=5#:~:text=Data%20Cloud%20protects%20sensitive%20data%20by%20encrypting%20it%20at%20rest%2C%20which%20prevents%20unauthorized%20access%20even%20if%20the%20database%20is%20compromised.%20With%20dynamic%20data%20masking%2C%20authorized%20users%20can%20view%20the%20data%2C%20but%20sensitive%20data%20is%20masked%20to%20prevent%20them%20from%20seeing%20it%20in%20plaintext.

https://www.ic3.gov/CSA/2025/250912.pdf