Google, which recently became a victim of ShinyHunters’ Salesforce CRM data heist, reports that the cybersecurity incident did not affect any of its own systems and that the data contained in Google products remains safe. However, hackers have obtained data of “prospective Ads customers.”
Google recently acknowledged that the ShinyHunters extortion group had accessed the company’s Salesforce database, which was used to store contact information and related notes for small and medium businesses.
On August 8th, 2025, Google said it had completed sending email notifications to those affected by the incident.
"This event affected a limited set of data in one of Google’s corporate Salesforce instances used to communicate with prospective Ads customers,” a Google spokesperson told Cybernews.
“The affected system contained basic business contact information such as business name, phone number, and related notes.”
Google also assures users that its systems were not accessed.
“There is no impact to data contained in Google Products, or to Google Cloud. We will continue to update this blog post as more information becomes available,” the Google spokesperson said.
“Google Security teams have assessed the instance and mitigations have been put in place.”
The incident involves an instance of Salesforce, a cloud-based software-as-a-service platform for customer relationship management (CRM).
Google itself warned on June 5th, 2025, about the ongoing phishing campaigns targeting Salesforce instances. Many companies have reportedly fallen victim to this type of scam, including three French luxury brands, Chanel, Louis Vuitton, and Dior, as well as the Adidas apparel brand and the Danish jewelry-maker Pandora. Cisco Systems disclosed a data breach in an unnamed third-party CRM system.
The threat actor, tracked as UNC6040, seems to be related to ShinyHunters and uses voice phishing (vishing) attacks to compromise Salesforce instances. Hackers call employees pretending to be IT support staff and deceive the victims into authorizing a malicious app. Once authorized, the app connects to their organization’s Salesforce portal, enabling hackers to exfiltrate the data.
The hackers abuse Salesforce’s own legitimate Data Loader tool, which allows users to import or export data in bulk within Salesforce environments.
“UNC6040 also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration,” the researchers said previously.
Companies compromised by UNC6040 later face extortion demands from the ShinyHunters threat group.
Your email address will not be published. Required fields are markedmarked