Google issued an urgent warning after a **major third-party breach** in Salesforce’s cloud platform exposed billions of Gmail users to cyberattacks. The breach, linked to the threat group **ShinyHunters (UNC6040)**, involved **social engineering (vishing)**—hackers impersonated IT support to steal login credentials, leading to **multiple successful intrusions** by August 2024. Initially dismissed as 'basic business data,' the stolen information is now being weaponized for **extortion and potential data leaks** via a planned **Data Leak Site (DLS)**. Attackers primarily targeted **English-speaking employees of global organizations**, exploiting dangling Cloud Storage buckets to **hijack deleted bucket names, inject malware, or steal customer data**.Google confirmed its own systems remained secure but warned of escalating risks, including **account takeovers, phishing, and credential stuffing attacks** affecting ~2.5 billion Gmail/Google Cloud users. While no direct financial or large-scale data theft was confirmed, the breach **compromised user trust, heightened phishing risks, and exposed vulnerabilities in third-party integrations**. Google notified affected users (Aug. 8) and urged **2FA adoption, password updates, and vigilance against suspicious links**—though only ~33% of users regularly change passwords, leaving many exposed to follow-up attacks.
Source: https://afrotech.com/google-emergency-warning-gmail-users-salesforce-data-breach
TPRM report: https://www.rankiteo.com/company/googlecloudsecurity
"id": "goo913090225",
"linkid": "googlecloudsecurity",
"type": "Breach",
"date": "8/2024",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Billions (exact number '
'unspecified)',
'industry': 'Internet Services/Cloud Computing',
'location': 'Global',
'name': 'Google (Gmail/Google Cloud Users)',
'size': '2.5 billion users',
'type': 'Technology Company'},
{'industry': 'Customer Relationship Management (CRM)',
'location': 'Global',
'name': 'Salesforce',
'type': 'Cloud Platform Provider'}],
'attack_vector': ['Vishing (Voice Phishing)',
'Social Engineering (IT Support Impersonation)',
'Stolen Credentials from Third-Party Breach',
'Dangling Cloud Storage Buckets'],
'customer_advisories': ['Email notifications sent on 2024-08-08',
'Public guidance on password hygiene and 2FA'],
'data_breach': {'data_exfiltration': 'Yes (by ShinyHunters/UNC6040)',
'number_of_records_exposed': 'Billions (exact number '
'unspecified)',
'personally_identifiable_information': 'Potential (via '
'credential reuse)',
'sensitivity_of_data': ["Low (initially 'publicly available')",
'High (credentials enable account '
'takeovers)'],
'type_of_data_compromised': ['Business Data',
'Login Credentials',
'Potentially Sensitive Customer '
'Data (via dangling buckets)']},
'date_detected': '2024-06',
'date_publicly_disclosed': '2024-08-08',
'description': 'Google issued an urgent warning to Gmail users after a breach '
'in Salesforce’s cloud platform exposed billions of '
'individuals to potential cyberattacks. Hackers, including the '
"group 'ShinyHunters,' used social engineering (e.g., vishing) "
'to trick users into sharing login credentials. The stolen '
"data, initially deemed 'basic,' is now being weaponized for "
'extortion and escalated attacks. Google’s Threat Intelligence '
'Group (GTIG) detected the campaign in June 2024, with '
'successful intrusions occurring by August. Affected users '
'were notified on August 8. Separately, Google Cloud customers '
"face 'dangling bucket' attacks, where deleted storage buckets "
'are hijacked to inject malware or steal data.',
'impact': {'brand_reputation_impact': 'High (Urgent warning issued to 2.5B '
'users; trust in platform security '
'questioned)',
'data_compromised': ["Business Data (initially 'basic and publicly "
"available')",
'Login Credentials',
'Potential Customer Data (via dangling '
'buckets)'],
'identity_theft_risk': 'High (Stolen credentials enable account '
'takeovers)',
'operational_impact': ['Increased Phishing/Social Engineering '
'Risks',
'Heightened Monitoring Requirements'],
'systems_affected': ['Gmail Accounts',
'Google Cloud Storage Buckets']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (ShinyHunters '
'linked to data leak '
'sites)',
'entry_point': ['Stolen Salesforce Cloud Data',
'Vishing Calls (IT Support '
'Impersonation)'],
'high_value_targets': ['English-speaking employees '
'of global organizations'],
'reconnaissance_period': 'Detected in June 2024; '
'intrusions by August '
'2024'},
'investigation_status': 'Ongoing (Google GTIG monitoring '
'ShinyHunters/UNC6040)',
'lessons_learned': ['Third-party breaches can cascade into attacks on '
'unrelated platforms (e.g., Salesforce → Gmail).',
'Vishing remains highly effective, especially against '
'English-speaking global employees.',
'Dangling cloud storage buckets are an underaddressed '
'attack vector.',
'User vigilance (2FA, password hygiene) is critical even '
'when primary platforms (e.g., Google) are secure.'],
'motivation': ['Data Exfiltration',
'Extortion',
'Financial Gain',
'Escalation via Data Leak Site (DLS)'],
'post_incident_analysis': {'corrective_actions': ['Google enhanced monitoring '
'of ShinyHunters/UNC6040.',
'Public awareness campaign '
'on 2FA and phishing risks.',
'Advisories for '
'organizations to audit '
'cloud storage '
'configurations.'],
'root_causes': ['Over-reliance on third-party '
'security (Salesforce breach '
'enabled Gmail targeting).',
'Effectiveness of vishing against '
'human trust in authority figures '
'(IT support).',
'Lack of user adherence to '
'password hygiene best practices '
'(e.g., reuse, infrequent '
'changes).',
'Unsecured cloud storage practices '
'(dangling buckets).']},
'recommendations': ['Enable two-factor authentication (2FA) for all accounts.',
'Use unique, strong passwords and change them regularly.',
'Avoid clicking unrecognized links or sharing credentials '
'over phone/email.',
'Monitor accounts for suspicious activity (e.g., '
'unauthorized logins).',
'Organizations should audit cloud storage for dangling '
'buckets.',
'Conduct regular security awareness training on '
'vishing/social engineering.'],
'references': [{'source': 'Geek Spin'},
{'date_accessed': '2024-08',
'source': 'Google Cloud Blog Post (GTIG)'},
{'source': 'Fox News'}],
'response': {'communication_strategy': ['Urgent Warning via Media (Geek Spin, '
'Fox News)',
'Direct User Emails',
'Blog Post by Google Cloud'],
'containment_measures': ['User Notifications (Email Alerts)',
'Public Advisory'],
'enhanced_monitoring': 'Yes (Ongoing by GTIG)',
'incident_response_plan_activated': 'Yes (Google Threat '
'Intelligence Group '
'monitoring)'},
'stakeholder_advisories': ['Urgent warning to 2.5B Gmail/Google Cloud users'],
'threat_actor': ['ShinyHunters',
'UNC6040 (associated with Salesforce breaches)'],
'title': 'Major Third-Party Breach Exposes Billions of Gmail Users to '
'Cyberattacks via Salesforce Cloud Platform',
'type': ['Data Breach',
'Social Engineering',
'Credential Stuffing',
'Dangling Bucket Attack'],
'vulnerability_exploited': ['Human Trust in IT Support Impersonation',
'Reused/Weak Passwords',
'Unsecured Deleted Cloud Storage Buckets']}