Google confirms hack by ShinyHunters Group: Here’s what you need to know

# Tech Desk
Representational image | Photo: AI-generated image
Representational image | Photo: AI-generated image

Google has confirmed that hackers accessed business user data stored in one of its corporate databases, following a cyberattack attributed to the ShinyHunters ransomware group (UNC6040). The breach targeted a Salesforce system used by the tech giant to keep contact details for small and medium-sized enterprises.

According to a blog post published by Google’s Threat Intelligence team on 5 August, the intrusion occurred in June. The affected database contained company names, contact information, and associated notes.

“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,” the post by Google read.

While no highly sensitive personal information was exposed, the attackers were able to retrieve the business data during the short period when the system’s defences were compromised.

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” the post added.

Google said that “the actor has claimed affiliation with the well-known hacking group ShinyHunters.” Their tactics include calling or sending emails to employees of the victim organization demanding payment in bitcoin within 72 hours.

Google stated it acted quickly to investigate the breach, assess its impact, and secure the compromised system.

“Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses,” the post read.

Googel further added that, “In addition, we believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS). These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches”. 

The company also shared intelligence on UNC6040 with the wider security community. However, it has not confirmed whether the attackers issued a ransom demand.