UNC6040 Breaches SaaS Apps at Google and Other Major Companies
An ongoing SaaS-based cyberattack campaign by UNC6040 (aka ShinyHunters) has impacted major companies including Google, Cisco, Chanel, and Air France. Learn how attackers are exploiting SaaS integrations, and why this evolving threat highlights a critical blind spot in traditional security defenses.
Note: This campaign is still ongoing, with new breaches surfacing daily.
What Happened: Google, Chanel, Cisco, and other major companies have been hacked via a SaaS integration attack tied to a single threat group: UNC6040. This isn’t their first campaign—back in June, the group (also known as ShinyHunters) used voice phishing and social engineering to infiltrate organizations via Salesforce, ultimately extracting sensitive data (read our report on the initial wave of attacks here.)
Attacks In-Depth: UNC6040 specializes in vishing (voice phishing) campaigns. This is a type of social engineering, which manipulates human users into making security mistakes. By exploiting a SaaS integration, the attackers took advantage of the critical blindspot in traditional ZTNA and IdP protections.
August 7, 2025: Air France and KLM announce that attackers have breached a customer service platform and exfiltrated customer data.
August 6, 2025: Google hacked by UNC6040, just weeks after warning other organizations. UNC6040 accessed a Google corporate account with Salesforce.
August 6, 2025: Chanel becomes the latest business to be hit by the UNC6040 campaign. As reported by WWD, threat actors accessed a Chanel database hosted by a third-party service provider. The breach impacted customers in the US, exposing personal contact information.
August 5, 2025: Cisco discloses that cybercriminals conducted a vishing attack targeting a company representative. This allowed the attack group to access Cisco’s CRM systems, and steal the personal and user information of individuals with Cisco.com accounts
Other high-profile companies have been impacted by Salesforce data breaches in recent weeks, including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, and Tiffany & Co.
A typical vishing timeline for UNC6040.
Why This Matters:
It is critical to note that these incidents do not indicate any inherent vulnerability in Salesforce. These breaches highlight the importance of the shared responsibility model, where organizations must properly secure their accounts, credentials, and access controls in addition to Salesforce’s built-in protections.
Taking a Step Back:
SaaS is a massive blindspot for most organizations. While investments flow into traditional defenses like zero trust architecture and IdP, attackers are targeting SaaS, where visibility is low and controls are fragmented.
Threat actors are increasingly sophisticated, and with the rise of AI tools, it is likely that attacks will become more frequent and harder to detect. AI can enable more convincing phishing campaigns, automate reconnaissance, and scale attacks, raising the stakes for organizations everywhere.
Humans are often the weakest link in the security chain. Despite robust technical safeguards, social engineering tactics like vishing exploit human vulnerabilities, leading to unintentional security breaches.
Prevention Methods:
General Strategies:
Ensure visibility and monitoring over SaaS applications. SaaS attacks are up 300% year over year, highlighting the need for proactive security.
Educate staff on vishing and social engineering threats
Educate staff on fake SSO phishing sites
Ensure staff are only granted the permissions needed for their role
Control access to Connected Applications
Restrict access to named IP ranges
For Obsidian customers:
Monitor Obsidian alerts for any related to Salesforce or Okta
Use Obsidian’s Browser Extension to detect and automatically block Identity Takeovers (ATO) from advanced phishing kits (such as Evilginx reverse proxy websites)
