This post is also available in:
עברית (Hebrew)
Google has confirmed a data breach involving one of its Salesforce CRM instances, stating that while some business contact information was exposed, none of the company’s core systems or user data within Google products were compromised.
The incident, attributed to the cyber extortion group ShinyHunters, targeted a Salesforce instance used by Google to manage communication with prospective small and medium-sized advertising clients. According to the cybernews, the compromised data includes basic business contact details such as company names, phone numbers, and internal notes. Google reported that no sensitive user data or internal systems were accessed during the breach.
Notifications to affected parties were completed by August 8, 2025. Google emphasized that the breach was confined to a standalone corporate CRM environment and reassured users that its products and Google Cloud infrastructure remain secure. Mitigation measures have since been implemented.
The broader campaign behind this breach involves a threat actor known as UNC6040, which appears to be affiliated with ShinyHunters. The group is known for using voice phishing (vishing) techniques. Attackers typically pose as IT personnel during phone calls, convincing employees to authorize malicious applications that integrate with their organization’s Salesforce platform.
Once access is granted, attackers exploit Salesforce’s own Data Loader tool—a legitimate feature designed for bulk data import and export—to extract large volumes of customer data. In some cases, the attackers have directly requested login credentials and multi-factor authentication codes to gain deeper access.
The campaign is not isolated to Google. Other high-profile companies—including luxury brands and major tech firms—have also reported similar breaches involving third-party CRM platforms.
The incident highlights ongoing risks associated with the potential for social engineering tactics to bypass technical safeguards. Organizations are advised to review access protocols, employee training, and app authorization procedures to reduce exposure to similar threats.
