Google Acknowledges Data Breach: Alerting Users Impacted by Cyberattack
Google has officially acknowledged a significant data breach affecting its corporate Salesforce database, completing email notifications to affected users by August 8, 2025. On August 5, Google revealed that one of its corporate Salesforce instances was compromised in June 2025 by the notorious cybercriminal group known as ShinyHunters, officially tracked as UNC6040 by the Google Threat Intelligence Group. The breach exposed contact information and related notes for small and medium businesses stored in Google’s customer relationship management system. The cyberattack was executed through sophisticated voice phishing (vishing) techniques, where threat actors impersonated IT support personnel to deceive Google employees into granting system access. This social engineering approach has become increasingly prevalent, as attackers manipulate human trust rather than exploiting technical vulnerabilities in the Salesforce platform itself. According to Google’s analysis, the attackers gained access through a malicious version of Salesforce’s Data Loader application, guiding victims during fraudulent phone calls to authorise what appeared to be a legitimate connected app, inadvertently granting the cybercriminals extensive capabilities to access and extract sensitive data.
Google reported to Cyber Security News that the stolen information consisted of “basic and largely publicly available business information, such as business names and contact details.” However, security researchers indicated that ShinyHunters claimed to have obtained approximately 2.55 million data records from the breach. Google emphasised that the breach was contained within “a small window of time before the access was cut off.” The company immediately terminated the attackers’ access upon discovery, conducted a comprehensive impact analysis, implemented additional security mitigations, and began notifying affected customers. The notification process commenced in early August, with Google completing email alerts to all affected users by August 8, 2025. The company assured users that payment information remained secure and that there was no impact on Google Ads data, Merchant Center, Google Analytics, or other advertising products. This attack is part of a broader campaign by ShinyHunters, which has targeted numerous high-profile organisations throughout 2025, including Cisco, Qantas, LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Adidas, and Allianz Life. ShinyHunters typically employs a delayed extortion model, waiting months after the initial data theft to demand ransom payments, often demanding payments in Bitcoin within 72-hour ultimatums while claiming affiliation with other notorious hacking collectives to increase pressure on victims.
Categories: Data Breach, Cybersecurity Threats, Social Engineering Techniques
Tags: Data Breach, Google, Salesforce, Cybercriminals, ShinyHunters, Vishing, Social Engineering, Customer Relationship Management, Security Mitigations, Ransom Payments