Brinztech Alert: Alleged 4TB “Google / Salesforce” Database Collection is on Sale

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising a large alleged database, purportedly containing 4TB of data related to “Google / Salesforce” and dated “2025”. The price is available via direct message, and the seller accepts active escrow services.

This claim, if true, represents the total aggregated data collection from the “Salesforce Breach Wave” of 2025. This is not a direct breach of Google or Salesforce’s core infrastructure. Instead, it is a catastrophic supply chain attack where the threat group ShinyHunters (aka Scattered Spider/UNC6040) has breached dozens of major corporations by targeting their individual Salesforce CRM instances.

The attack vector is a sophisticated vishing (voice phishing) campaign. Attackers call employees, impersonate IT support, and trick them into authorizing a malicious, modified version of the “Salesforce Data Loader” app. This app then uses stolen OAuth tokens to bypass MFA and exfiltrate the company’s entire CRM database.

Confirmed victims in this 2025 campaign include:

• Google (Ads SMB data, 2.55M records)
• Allianz Life (US) (1.4M+ customer records, including SSNs)
• Coca-Cola Europacific Partners (23M records)
• FedEx (1.1TB claim)
• Workday (70M user records)
• …and dozens of others, including Adidas, Cisco, LVMH (Dior, Louis Vuitton), TransUnion, and Farmers Insurance.

This 4TB “collection” is the crown jewel of that campaign, providing a complete toolkit for mass industrial espionage and fraud.

Key Cybersecurity Insights

This alleged data sale represents a systemic, ongoing threat:

• A Systemic Supply Chain Attack: The “Google / Salesforce” label refers to high-profile victims (like Google) and the platform targeted (Salesforce). This campaign targets the customers of Salesforce, not the core platform, by exploiting human trust and third-party app integrations.
• Massive Aggregated Data: The 4TB size is the total collection from dozens of breached companies (e.g., FedEx, Coca-Cola, Allianz), making it one of the most significant aggregated datasets of the year.
• High-Value, Current Data: The “2025” date is accurate. This campaign has been actively running throughout 2025, meaning the data is fresh and highly actionable for fraud.
• Professional Monetization: The use of direct messaging and escrow for a high-value, aggregated dataset highlights a professional CaaS (Crime-as-a-Service) operation.

Mitigation Strategies

In response to this specific and active threat, organizations must take immediate action:

• Train Staff on Vishing & Malicious OAuth Apps: This is not a standard phishing email. The primary vector is a phone call impersonating IT. Staff must be trained to never authorize an app (like “Data Loader”) or approve an MFA push from an unsolicited “IT support” call.
• Third-Party and Supply Chain Risk Assessment: Immediately and thoroughly audit all third-party applications and integrations within your Salesforce environment. Revoke tokens for any non-essential, old, or suspicious apps (such as the previously compromised Salesloft-Drift app).
• Enhanced Account Security Protocols: Enforce the strongest, phishing-resistant MFA (like FIDO2/Hardware Keys) to make social engineering more difficult.
• Proactive Threat Monitoring and Intelligence: Continuously monitor dark web forums for the sale of this data and internal logs for signs of large-scale, anomalous data exfiltration from CRM systems.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com