Global tech leader Google has confirmed a data breach involving one of its Salesforce customer relationship management (CRM) systems, which stored business contact details for small and medium-sized enterprises. Notifications to affected users were completed as of August 8, 2025.
What Happened?
In June 2025, a cybercriminal group known as ShinyHunters (UNC6040) infiltrated one of Google’s Salesforce instances via a tailored voice phishing (vishing) attack. Threat actors impersonated IT support staff and tricked employees into installing a malicious version of Salesforce’s Data Loader app, giving them unauthorized access.
During a brief window before access was revoked, attackers retrieved basic, largely publicly available business data such as company names, phone numbers, and related notes used for Google Ads outreach. ShinyHunters claim they obtained approximately 2.55 million records, though Google hasn’t confirmed this number publicly.
Google’s Response:
Immediate steps were taken to block access, conduct impact assessments, and strengthen security controls. Affected users were notified promptly.
Analysts warn that groups like UNC6040 now combine data theft with extortion, often threatening to leak stolen data if ransoms aren’t paid. Google’s swift mitigation helped avert further escalation.
Key Lessons for Your Organization:
Enhance Social Engineering Defenses: Regular training and simulated phishing (including vishing) help build organizational resilience.
Protect Cloud Platforms: Restrict app permissions and vet third-party tools like Salesforce Data Loader carefully.
Enforce MFA and Least Privilege: Secure access to sensitive systems with multi-factor authentication and role-based controls.
Prepare Incident Response Plans: Rapid detection, response, and reporting can significantly mitigate fallout.
