Google hit by Salesforce cyberattack surge

ShinyHunter Extorts Google via Salesforce Breach

Overview

Google recently disclosed a data breach stemming from ShinyHunter’s exploitation of Salesforce. The stolen information consists largely of publicly available details, yet the attack vector remains concerning, demonstrating that even with MFA in place, social engineering can bypass controls.

Attack Mechanics

• Credential Harvesting – attackers gain initial access by stealing login credentials from infostealer malware.
• API & Service Account Exploitation – stolen credentials are used to access Salesforce and Snowflake through non‑UI interfaces where MFA enforcement is weak.
• Vishing (Voice Phishing) – a second technique targeting Google involved employees receiving calls that coaxed them into providing login details or approving MFA prompts.

Implications for Organizations

ShinyHunter’s methods highlight the limitations of technical controls when human behavior becomes the primary attack surface. The breach underscores that service account MFA remains a blind spot and that phishing‑resistant MFA and step‑up authentication are essential safeguards.

Recommendations

• Extend MFA enforcement to all access vectors, not just user interfaces.
• Implement phishing‑resistant MFA and step‑up authentication for service accounts.
• Enforce consistent identity security across all platforms, including custom integrations.
• Reduce human exploitability through staff training and robust security policies.