Google has confirmed that the threat group ShinyHunters managed to access customer data stored in one of its Salesforce databases, highlighting ongoing vulnerabilities in popular cloud-based software-as-a-service (SaaS) solutions.
The incident is the latest in a series of high-profile breaches targeting companies reliant on platforms such as Salesforce, with similar attacks having previously impacted Cisco, Qantas, and Pandora.
According to Google’s Threat Intelligence team, the attackers notoriously relied on advanced voice phishing – or “vishing” – strategies to deceive employees into granting access credentials. ShinyHunters, which has grown in prominence within the cybersecurity community, reportedly utilised a malicious version of Salesforce’s Data Loader application in this instance to further its aims.
Richard Taylor, Managing Director of marketing technology consultancy Digital Balance, remarked, “Another day, another data breach. This time revealed by Google with Salesforce once again at the centre. The attackers, known as the ShinyHunters group, leveraged a malicious version of Salesforce’s Data Loader application, tricking employees into granting access. This incident follows a pattern where threat actors are not exploiting technical flaws in platforms but are instead using social engineering tactics to compromise systems.”
He added, “This highlights that even with robust security measures, the human element can be the weakest link, leaving sensitive data vulnerable. This pattern suggests a need for stricter security protocols and training around third-party application usage.”
Industry experts have long cautioned that existing security models for SaaS platforms can create a false sense of safety. Perimeter defences and even multi-factor authentication can be sidestepped if users can be convinced to hand over credentials or authorise malicious applications. This reality is leading to calls for more granular monitoring of where sensitive data resides, continuous auditing of data movements, and more aggressive training of staff to identify and resist sophisticated phishing attempts.
As businesses continue to invest in cloud services, the burden falls on both the vendors and their customers to ensure adequate defence measures. Enhanced monitoring tools, tighter controls over third-party integrations, and fostering a culture of scepticism regarding external communications are all recommended as next steps. The rise in such attacks reflects the evolving threat landscape in which traditional security endpoints are no longer the only battleground – increasingly, the user base itself is in the crosshairs.
The breach serves as a reminder that while SaaS platforms can offer significant operational benefits, they are not immune from novel and persistent cyber threats. Ongoing vigilance, education, and robust internal controls remain essential to defend against both technical and social vectors of attack.
