The Trust that Unraveled
When your fortress is built on human trust, even a whisper can bring it down. In June 2025, threat group ShinyHunters (UNC6040) executed a targeted vishing attack against Google employees by convincing them to install a maliciously modified version of Salesforce’s Data Loader tool. The result? Unauthorized access to Google’s Salesforce instance and exfiltration of small-and-medium-business contact data.
On August 5, 2025, Google confirmed the breach as part of an ongoing campaign targeting Salesforce CRM environments that allegedly also affected companies such as Chanel, Pandora, Adidas, Cartier, Qantas, Air France–KLM, Allianz Life, Cisco, and more. While no financial or credential data was confirmed stolen, the attack’s method and implications are chilling: a crafted phone call can hijack enterprise SaaS with devastating impact.
The Hidden Playbook: How a Vishing Call Compromised Google’s Salesforce CRM
This wasn’t a phishing email. It was a voice call that impersonated internal IT, instructing employees to download a tool they trusted. The weapon? An altered malicious version of Salesforce’s own Data Loader, designed to silently exfiltrate CRM data.
Once the tool ran, attackers siphoned off customer contact information. Although Google swiftly revoked access, the breach spotlighted glaring vulnerabilities: tools designed to help can become crimeware, user trust replaced technical safeguards, and even leading organizations can find themselves outmaneuvered.
Why “Only Contact Info” Undersells the Risk
“Only contact info” may sound benign, but in a SaaS-first world, even seemingly low-value data can catalyze complex attacks.
Salesforce CRM often serves as the central nervous system of enterprise operations by integrating with marketing automation, customer support platforms, identity providers like Okta, and productivity suites such as Microsoft 365. From there, attackers can pivot into connected apps, harvest tokens, and build lateral movement strategies.
In Google’s case, exfiltrating contact data was likely just the beginning. The real risk lies in the access vector itself: a pathway to automate business logic, intercept internal communications, or deploy highly targeted spear-phishing campaigns.
How SaaS Admin Workflows Became the Weak Link
Salesforce admins naturally trust the Data Loader since it’s a legitimate, familiar application used in everyday operations. That made it the perfect vehicle for malicious code.
Combine that with the social engineering sophistication of ShinyHunters: an urgent tone, authoritative instructions, and deep familiarity with internal processes. The attackers weaponized trust, not software flaws.
This breach highlights the need for strict SaaS admin governance. Admin workflows, especially around data export and integration tools, must be verified, segmented, and continuously monitored.
What the Google Salesforce Breach Should Teach Every Security Team
If a single call can pierce a tech behemoth’s defenses, your SaaS posture may be on borrowed time:
- Enforce strict app validation: Block or flag unknown versions of built-in tools or third-party extensions, even those offering legitimate functions
- Harden admin workflows: Separate duties, require approval steps for data exports, and trigger alerts for unusual tool usage
- Elevate security awareness beyond email phishing: Train teams on vishing attacks and how attackers try to impersonate trusted internal functions
- Treat integrations as risk multipliers: Map OAuth flows and CRM connections, enforce least-privilege, and monitor for anomalous token generation or reuse
Valence’s Edge in Protecting Salesforce and Other SaaS Platforms
At Valence, we help you to find and fix SaaS risks before attackers can exploit them. Our platform discovers hidden SaaS apps, identifies misconfigurations, monitors high-risk integrations, and detects abnormal admin behavior.
So if your enterprise relies on SaaS, especially with tightly integrated CRMs, you’re not just protecting data. You’re defending the mechanisms that drive business. Valence helps you secure those systems before a vishing call or malicious integration opens the door.
Call to Action
This breach proves something unsettling: when physical boundaries disappear, human trust is often the weakest link. The Google-Salesforce breach happened over the phone and not through a code exploit. SaaS tools magnify that risk, but with the right controls, they can also prevent it.
Ready to secure Salesforce and every connected SaaS app from vishing and data theft?
Book your personalized SaaS security demo today to learn how to protect Salesforce from vishing and data theft, and to gain complete control over your entire SaaS ecosystem.
.jpg)
