Google has confirmed that it was affected by a data breach as part of a larger cyberattack campaign targeting Salesforce CRM platforms. The notorious hacking group ShinyHunters is believed to be behind this wave of attacks, which has impacted several major global companies.
In June 2025, Google identified unauthorized access to one of its Salesforce CRM instances. According to Google, the attackers used social engineering and vishing (voice phishing) tactics to trick employees and gain access to sensitive data stored in its customer relationship management system.
The company stated in an update:
“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity. Google responded immediately, conducted an impact analysis, and initiated mitigation measures.”
This breached Salesforce instance stored basic contact information and notes related to small and medium-sized businesses (SMBs). The attackers reportedly accessed this data during a short time window before Google successfully blocked them.
Google emphasized that the compromised data included only publicly available or non-sensitive information such as business names and contact details. While no financial data or passwords were stolen, the breach is still concerning due to the scale and nature of the attack campaign.
Google initially labeled the threat group as UNC6040 (also referred to as UNC6240), but cybersecurity platform BleepingComputer has linked the campaign to ShinyHunters, a well-known hacking group that has been active for several years.
ShinyHunters has been previously involved in major data breaches, including:
PowerSchool
Snowflake
Oracle Cloud
AT&T
NitroPDF
Wattpad
MathWay
And more
In a conversation with BleepingComputer, the threat actors claimed they have successfully breached multiple Salesforce CRM instances across various organizations, and the attacks are still ongoing.
After gaining access to Salesforce systems, ShinyHunters is reportedly extorting companies via email, demanding ransoms in exchange for not leaking the stolen data. The hackers have stated that once their private extortion efforts are complete, they plan to publicly leak or sell the data on hacking forums.
According to reports, at least one company has already paid a ransom of 4 Bitcoins (approximately $400,000) to prevent their data from being published.
The threat actor also claimed they had breached a trillion-dollar company, although it’s unclear whether this refers to Google or another tech giant. ShinyHunters has hinted they may skip extortion in this particular case and simply leak the data for attention.
Besides Google, several high-profile companies have been identified as victims of this Salesforce data breach campaign. These include:
Adidas
Qantas
Cisco
Allianz Life
Louis Vuitton
Dior
Tiffany & Co.
Many of these companies rely heavily on Salesforce CRM to manage customer data, making them attractive targets for hackers.
The method used by the attackers is largely based on vishing and social engineering, a form of manipulation where attackers impersonate trusted sources to deceive employees and trick them into giving away login credentials or access.
Once inside the Salesforce CRM system, attackers can export customer contact data and internal notes, which may not seem highly sensitive at first but can be used for phishing, impersonation, or further exploitation.
Even though the information stolen from Google was considered non-sensitive, this incident highlights growing concerns about third-party platforms like Salesforce being exploited as backdoors into major organizations. CRM systems often hold vast amounts of customer and business data, making them a goldmine for cybercriminals.
The ongoing wave of attacks shows that no company is immune, not even tech giants like Google. It also stresses the importance of multi-factor authentication (MFA), employee training, and real-time monitoring of third-party platforms.
To protect themselves from similar attacks, organizations should:
Conduct security audits of their CRM platforms.
Educate employees on social engineering and vishing threats.
Enable strong authentication measures on all cloud platforms.
Limit access to customer data based on roles and necessity.
Monitor CRM usage logs for suspicious behavior.
The ShinyHunters group continues to pose a significant threat to global businesses by exploiting human vulnerabilities and cloud platform misconfigurations. As the investigation unfolds, more companies could be revealed as victims.
Google’s transparency about the breach is a step in the right direction, but it also serves as a warning: businesses of all sizes must take proactive steps to secure their data, especially when stored in third-party platforms like Salesforce.
Interesting Article : Google Patches Actively Exploited Qualcomm Bugs in August Android Update
Pingback: CVE-2025-53786: Microsoft Exchange Server Flaw Lets Hackers Access Cloud