Tech giant Google has officially acknowledged a significant data breach affecting its corporate Salesforce database, with the company completing email notifications to affected users as of August 8, 2025.
Google revealed on August 5 that one of its corporate Salesforce instances was compromised in June 2025 by the notorious cybercriminal group known as ShinyHunters, officially tracked as UNC6040 by the Google Threat Intelligence Group.
The breach exposed contact information and related notes for small and medium businesses stored in Google’s customer relationship management system.
The cyberattack was orchestrated through sophisticated voice phishing (vishing) techniques, where threat actors impersonated IT support personnel to deceive Google employees into granting system access.
This social engineering approach has become increasingly prevalent, with attackers manipulating human trust rather than exploiting technical vulnerabilities in the Salesforce platform itself.
According to Google’s analysis, the attackers gained access through a malicious version of Salesforce’s Data Loader application. During fraudulent phone calls, victims were guided to authorize what appeared to be a legitimate connected app, inadvertently granting the cybercriminals extensive capabilities to access and extract sensitive data.
Google described the stolen information as “basic and largely publicly available business information, such as business names and contact details”. However, security researchers report that ShinyHunters claimed to have obtained approximately 2.55 million data records from the breach.
Google emphasized that the breach was contained within “a small window of time before the access was cut off”. The company immediately:
- Terminated the attackers’ access upon discovery
- Conducted a comprehensive impact analysis
- Implemented additional security mitigations
- Began notifying affected customers
The notification process began in early August, with Google completing email alerts to all affected users by August 8, 2025. The company assured users that payment information remained secure and that there was no impact on Google Ads data, Merchant Center, Google Analytics, or other advertising products.
This attack is part of a broader campaign by ShinyHunters, a cybercriminal collective that has targeted numerous high-profile organizations throughout 2025. The group has been linked to breaches at major companies including Cisco, Qantas, LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Adidas, and Allianz Life.
ShinyHunters typically employs a delayed extortion model, waiting months after the initial data theft to demand ransom payments. The group has been observed demanding payments in Bitcoin within 72-hour ultimatums, often claiming affiliation with other notorious hacking collectives to increase pressure on victims.
According to reports, ShinyHunters demanded 20 Bitcoins (approximately $2.3 million) from Google, though the threat actor later claimed this was sent “for the lulz” rather than as a serious extortion attempt.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
