- The CyberLens Newsletter
- Posts
- Vishing in the Cloud: How ShinyHunters Cracked Google’s Salesforce CRM
Vishing in the Cloud: How ShinyHunters Cracked Google’s Salesforce CRM
The Latest Breach Proves That Social Engineering Still Rules Cyber-Warfare
Devona Green Jordan
August 21, 2025
In partnership with
Training Generative AI? It starts with the right data.
Your AI is only as good as the data you feed it. If you're building or fine-tuning generative models, Shutterstock offers enterprise-grade training data across images, video, 3D, audio, and templates—all rights-cleared and enriched with 20+ years of human-reviewed metadata.
With 600M+ assets and scalable licensing, our datasets help leading AI teams accelerate development, simplify procurement, and boost model performance—safely and efficiently.
Book a 30-minute discovery call to explore how our multimodal catalog supports smarter model training. Qualified decision-makers will receive a $100 Amazon gift card.
For complete terms and conditions, see the offer page.
Interesting Tech Fact:
Few people know that one of the earliest recorded vishing-style attacks dates back to the late 1980s, long before smartphones and cloud CRMs, when phone phreakers exploited PBX (Private Branch Exchange) systems to trick operators and employees into granting them access codes. Instead of stealing credit cards or bank accounts directly, attackers manipulated trust over the phone to reroute calls, harvest corporate contact lists, and even gain free long-distance service. This early form of vishing shows that while today’s attackers use it to exploit OAuth and cloud services, the core strategy—weaponizing the human voice to bypass technical defenses—has been around for decades, proving that some of the oldest tricks remain the most dangerous in cybersecurity.
Introduction
In the age of advanced persistent threats, nation-state espionage campaigns, and ransomware syndicates running billion-dollar operations, it’s easy to assume that cyber defense comes down to firewalls, intrusion detection systems, and AI-powered threat hunting. Yet time and time again, attackers prove that it’s often easier—and far cheaper—to target the one system that can’t be patched: human trust.
The recent ShinyHunters breach of Google’s Salesforce CRM database in mid-2025 is a striking reminder that cutting-edge platforms and hardened infrastructures can still be compromised with nothing more than a convincing phone call and a well-rehearsed lie. The attackers bypassed sophisticated defenses not by exploiting a zero-day or brute forcing credentials, but through vishing (voice phishing), a decades-old social engineering tactic that’s suddenly enjoying a dangerous renaissance.
This incident doesn’t just underscore the fragility of enterprise trust models; it also raises uncomfortable questions about how corporations manage cloud integrations, employee training, and the illusion of security in an increasingly API-driven world.
The Breach That Rocked the Cloud
In June 2025, Google confirmed that attackers had infiltrated its Salesforce CRM database, a system used to manage business contact data for clients and partners. While Google was quick to emphasize that no core tenant or end-user account data had been exposed, the breach still handed hackers names, emails, and phone numbers of small and medium-sized business clients—data that can be weaponized in precision-targeted phishing campaigns.
The culprit? ShinyHunters, a prolific cyber-criminal group that has been active since at least 2020, infamous for targeting cloud platforms and developer-centric environments. Sometimes tracked as UNC6040, ShinyHunters have made a name by blending credential theft, OAuth exploitation, and now vishing into a unique playbook designed to harvest enterprise data at scale.
What makes this breach particularly fascinating is that it did not exploit Salesforce vulnerabilities directly. Instead, attackers called employees, impersonated IT support staff, and convinced them to authorize fraudulent OAuth applications. With this access in place, the group quietly siphoned business contact data and exfiltrated it, effectively bypassing traditional detection systems.
In other words: Google’s highly fortified defenses weren’t shattered—they were sidestepped.
Anatomy of the Attack: When OAuth Meets Vishing
To understand the depth of this breach, it’s essential to unpack how OAuth abuse pairs so well with social engineering. OAuth is the authentication framework that allows third-party apps to request permissions to access corporate resources. It’s designed for convenience: approve once, and apps can continue interacting with enterprise data without repeatedly requesting credentials.
ShinyHunters leveraged this model with deadly precision. Here’s how it unfolded:
Reconnaissance – The group likely mapped Google’s Salesforce usage and identified which employees had the authority to approve OAuth requests.
Vishing Call Execution – Attackers called targets, posing as internal IT or Salesforce support, creating urgency around “security updates” or “account issues.
OAuth App Installation – Employees, tricked into believing they were cooperating with IT, granted permissions to fraudulent apps.
Silent Persistence – With OAuth tokens in place, the hackers gained continuous access—no passwords required, no MFA challenges triggered.
Data Harvesting – Business contacts were exfiltrated in the background, appearing as routine app activity rather than suspicious intrusions.
This hybrid technique—vishing for access, OAuth for persistence—represents a strategic evolution. Unlike traditional phishing emails, which can be flagged, filtered, or sandboxed, a direct phone call disarms victims by creating urgency and bypassing digital filters. Pair that with OAuth’s trust-based model, and attackers gain stealthy, near-invisible footholds.
Why This Breach Hits Harder Than It Looks
At first glance, the stolen data—business contacts—may seem low-grade compared to passwords, financial records, or intellectual property. But in cyber offense, context is everything.
Weaponized Phishing Campaigns: With verified names, emails, and phone numbers, attackers can launch hyper-targeted spear-phishing operations against Google’s business clients.
Business Email Compromise (BEC): CRM data often includes organizational hierarchies. Knowing who manages what opens the door for invoice fraud and wire transfer scams.
Credential Harvesting: Attackers can send realistic “account verification” requests to known clients, dramatically increasing the likelihood of successful credential theft.
Cross-Platform Attacks: Business contact data can be fed into broader data-broker networks, enriching profiles used for identity fraud, synthetic identity creation, or even corporate espionage.
The psychological impact is equally critical. If Google—a titan of cybersecurity with entire divisions devoted to advanced defense—can fall to a phone call, what chance do small and medium-sized businesses have?
ShinyHunters: The Masters of Exploiting Trust
ShinyHunters have repeatedly demonstrated an uncanny ability to exploit trust-based systems. Unlike ransomware cartels that brute-force their way into networks and leave noisy trails, ShinyHunters prefer quiet, clever exploits that rely on the weakest link in the chain: people.
In past campaigns, they targeted GitHub repositories, stealing source code by compromising developer accounts.
They have been linked to data breaches across major platforms, always with an emphasis on social engineering combined with cloud platform weaknesses.
Their current pivot toward vishing + OAuth abuse suggests a calculated move: exploit the industry-wide reliance on APIs and third-party integrations.
Their strategy is less about smashing doors down and more about convincing the guard to unlock them.
Strategic Lessons: How Enterprises Must Evolve
This breach highlights a set of hard truths for organizations of all sizes:
OAuth Blind Spots Are Real: Too many companies treat OAuth authorizations as a “click and forget” step. Enterprises must monitor app activity and enforce strict controls around who can grant OAuth permissions.
Employee Training Isn’t Enough: Vishing succeeds because it manipulates psychology—urgency, authority, fear. Organizations must supplement awareness training with clear protocols (e.g., “IT will never call and ask you to authorize an app over the phone”).
CRM Platforms Are Gold Mines: Contact data may not be classified as “sensitive” under most compliance frameworks, but in the wrong hands it becomes a weapon. Enterprises must reclassify CRM data as high-value and protect it accordingly.
Zero Trust Must Extend to Humans: True Zero Trust architecture doesn’t just mean verifying devices and endpoints—it must include verifying human interactions, especially when privilege escalations or OAuth authorizations are involved.
Final Thought: The Real Battlefield of Cybersecurity
The ShinyHunters breach of Google’s Salesforce CRM is more than another entry in the long list of cyber incidents—it’s a harbinger of where the battlefield is shifting. For years, defenders have poured resources into patching vulnerabilities, detecting anomalies, and hardening infrastructures. But the human interface layer—a phone call, a request for help, a voice that sounds authoritative—remains painfully underdefended. ShinyHunters didn’t out-code or out-engineer Google; they out-socialized them. And that should terrify every enterprise leader.
The uncomfortable truth is that cybersecurity has become less about firewalls and more about conversations. Attackers understand this, which is why vishing is back in vogue. If a convincing enough voice can persuade employees to open the gates, no amount of cryptography or AI-driven detection will matter.
This breach also calls into question how enterprises prioritize data protection. Too often, organizations downplay the value of “secondary data” like business contacts. But as this case shows, attackers don’t need your crown jewels to launch devastating campaigns—they just need an entry point, a piece of context, a believable hook. CRM data provides all three.
Finally, the attack illustrates the growing gap between perception of security and reality of risk. Google, like many tech giants, invests billions in cybersecurity. Yet all of that infrastructure was rendered irrelevant by a single phone call. The lesson is clear: no defense is impenetrable if the human element is neglected.
As enterprises race to adopt AI, automate workflows, and expand their reliance on cloud platforms, they must also remember this: technology may change, but human manipulation remains the oldest and most effective hack in history. Until organizations address that fact with the same seriousness they apply to patch management and intrusion detection, groups like ShinyHunters will continue to win battles in the shadows of our most fortified systems.
The future of cybersecurity won’t just be written in lines of code—it will be spoken through phone lines, whispered into headsets, and decided in the milliseconds where trust and doubt collide. And in that battlefield, the voice on the other end of the call may be the deadliest weapon of all.
Subscribe to CyberLens
Cybersecurity isn’t just about firewalls and patches anymore — it’s about understanding the invisible attack surfaces hiding inside the tools we trust.
CyberLens brings you deep-dive analysis on cutting-edge cyber threats like model inversion, AI poisoning, and post-quantum vulnerabilities — written for professionals who can’t afford to be a step behind.
📩 Subscribe to The CyberLens Newsletter today and Stay Ahead of the Attacks you can’t yet see.
