Google has announced a significant data breach that has hit its corporate Salesforce database, and Google sent email notifications to the affected users on 08 August 2025. Earlier, Google had said that one of its corporate Salesforce instances was compromised in June 2025 by the notorious cybercriminal group known as ShinyHunters, officially tracked as UNC6040 by the Google Threat Intelligence Group. “We believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS). These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches. We continue to monitor this actor and will provide updates as appropriate,” said Google.
See: https://redskyalliance.org/xindustry/shinyhunters
Google Threat Intelligence Group has said that the attacks targeted English-speaking employees working for Salesforce clients and used voice phishing to trick the employees into connecting to a modified version of Salesforce's Data Loader application. The English-speaking employees received phone calls from someone claiming to be IT support personnel, telling the targeted employee to accept a connection to the client application known as Salesforce Data Loader. The breach exposed contact information and related notes for small and medium businesses stored in Google’s customer relationship management system. Google says the exposed information includes business names, phone numbers, and "related notes" for a Google sales agent to contact them again.
The cyber-attack was staged through sophisticated voice phishing techniques, where threat actors impersonated IT support personnel to deceive Google employees into granting system access. This social engineering approach has become increasingly prevalent, with attackers manipulating human trust rather than exploiting technical vulnerabilities in the Salesforce platform itself. According to Google’s analysis, the attackers gained access through a malicious version of Salesforce’s Data Loader application. During fraudulent phone calls, victims were guided to authorize what appeared to be a legitimate connected app, inadvertently granting the cyber criminals extensive capabilities to access and extract sensitive data. Google has described the stolen information as “basic and largely publicly available business information, such as business names and contact details”.
Security researchers report that ShinyHunters claimed to have obtained approximately 2.55 million data records from the breach.
Google emphasised that the breach was contained within “a small window of time before the access was cut off”.
Google Immediately:
- Terminated the attackers’ access upon discovery
- Conducted a comprehensive impact analysis
- Implemented additional security mitigations
- Began notifying affected customers
Notification began in early August, with Google completing email alerts to all affected users by 08 August 2025. The company assured users that payment information remained secure and that there was no impact on Google Ads data, Merchant Center, Google Analytics, or other advertising products.
This attack is part of a broader campaign by ShinyHunters, also known as Scattered Spider, a cybercriminal collective that has targeted numerous high-profile organizations throughout 2025. The group has been linked to breaches at major companies including Cisco, Qantas, LVMH brands (Louis Vuitton, Dior, Tiffany & Co.) Adidas and Allianz Life.
See: https://redskyalliance.org/xindustry/scattered-spider-s-devious-web
ShinyHunters typically employs a delayed extortion model, waiting months after the initial data theft to demand ransom payments. The group has been observed demanding payments in Bitcoin within 72-hour ultimatums, often claiming affiliation with other notorious hacking collectives to increase pressure on victims. According to reports, ShinyHunters demanded 20 Bitcoins (approximately $2.3 million) from Google, though the threat actor later claimed this was sent “for the lulz” (apparent amusement), rather than as a serious extortion attempt.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments