A hacking group tracked as UNC6040 has targeted approximately 20 organizations in the US and Europe by impersonating IT support staff to gain access to Salesforce customer environments, according to reports from Google's Threat Intelligence Group. The attackers used voice phishing, or vishing, to convince employees to install a modified version of Salesforce's Data Loader app, sometimes branded as "My Ticket Portal," granting them significant access to sensitive company data. Once installed, the malicious app enabled the hackers to exfiltrate large volumes of data and, in some cases, move laterally across corporate networks to access other cloud services such as Okta, Workplace, and Microsoft 365. Some affected organizations subsequently faced extortion attempts, sometimes months after the initial breach. The attackers have claimed affiliation with the cybercrime collectives The Com and ShinyHunters, and their tactics show links to the group Scattered Spider. Google and Salesforce have stated that no vulnerabilities in the Salesforce platform itself were exploited. Instead, the campaign relied entirely on social engineering tactics targeting individual employees' cybersecurity awareness. Salesforce has warned customers about these vishing attacks and the risks of authorizing unauthorized connected apps. The campaign, observed over several months, has impacted sectors including hospitality, retail, and education. Google has not disclosed the names of affected organizations, and Salesforce reports that only a small subset of its customers were impacted.