A widespread wave of sophisticated cyberattacks is targeting companies that use Salesforce — and tech giant Google has confirmed it was hit as well.
Major brands affected
International firms including Dior, Allianz, Adidas, Chanel, Pandora, Qantas, Air France and KLM have been targeted. Google has disclosed that one of its Salesforce databases, containing contact information for small and medium-sized businesses, was compromised in June 2025.
A growing threat: UNC6040 and social engineering
Google Threat Intelligence Group (GTIG) has attributed the activity to a threat actor tracked as UNC6040. The attackers rely on advanced social engineering, using phone calls that impersonate IT support — a tactic known as voice phishing or “vishing.” During these calls, targets are tricked into installing a fake version of the Salesforce Data Loader via an app connection, which grants the attackers broad access to Salesforce and other cloud services such as Okta and Microsoft 365.
The infrastructure used by the attackers shows similarities to the loosely organized cybercriminal network referred to as “The Com.”
Data exfiltration and extortion
Google reports that around 20 organizations were impacted and that data was exfiltrated in several instances. In some intrusions, small amounts of data were taken before access was removed; in others, entire database tables were downloaded.
Extortion attempts sometimes begin months after the initial breach. In several cases, extortionists claim to represent well-known groups, increasing pressure and reputational risk for the victims.
Google and Salesforce respond
Google says it quickly analyzed and restricted access to the affected database and determined that only publicly available business information was stolen, such as names and contact details — not sensitive personal or financial data.
Salesforce emphasizes that the attacks exploited targeted manipulation of users rather than vulnerabilities in its platform. The company notes that only a limited number of customers were affected and advises organizations not to install unknown connected apps or enter verification codes without confirming the request.
Security experts’ recommendations — what organizations should do
To resist this kind of attack, experts recommend a combination of user education, technical controls, and continuous monitoring:
| Measure | Description |
|---|---|
| Training and awareness | Educate employees about the risks of vishing and malicious connected apps — especially Salesforce administrators. |
| Restrict app permissions | Grant “API Enabled” and the ability to add connected apps only to necessary, trusted administrators. |
| Whitelist and connection controls | Establish approval processes, allowlisting, and monitoring for third-party connected applications. |
| IP and MFA protections | Implement IP restrictions, block access from commercial VPN services, and enforce multifactor authentication (MFA). |
| Monitoring and automated response | Use tools like Salesforce Shield to detect unusual downloads, create transaction-based security policies, and review logs for anomalies. |