Google has confirmed a data breach involving its corporate Salesforce database, with email notifications to affected users completed on August 8, 2025.
The company disclosed on August 5 that one of its Salesforce instances was compromised in June by the cybercriminal group ShinyHunters, tracked by Google Threat Intelligence Group as UNC6040. The breach exposed contact details and related notes for small and medium-sized businesses stored in Google’s customer relationship management system.
According to Google, the attackers used voice phishing techniques, posing as IT support staff to persuade employees to grant them access. The attackers deployed a malicious version of Salesforce’s Data Loader application and convinced victims to authorize what appeared to be a legitimate connected app. This allowed them to extract data without exploiting technical vulnerabilities in Salesforce itself.
Google described the stolen information as “basic and largely publicly available business information,” such as names and contact details. However, independent security researchers said ShinyHunters claimed to have obtained about 2.55 million data records.
The company stated the breach was contained within a short period before access was cut off. Actions taken included terminating attacker access, conducting an impact analysis, adding security safeguards, and notifying affected customers. Google said no payment data was compromised, and Google Ads, Merchant Center, Google Analytics, and other advertising products were unaffected.
The incident is part of a wider 2025 campaign by ShinyHunters, which has also targeted companies such as Cisco, Qantas, LVMH brands, Adidas, and Allianz Life. The group is known for a delayed extortion approach, often demanding Bitcoin payments within short deadlines. Reports indicate ShinyHunters sought 20 Bitcoins (about $2.3 million) from Google, later claiming the demand was made “for the lulz.”
Discover more from Aree Blog
Subscribe now to keep reading and get access to the full archive.
