Google has confirmed a data breach involving one of its corporate Salesforce databases, with email notifications to affected users completed on August 8, 2025.
The company disclosed on August 5 that the breach took place in June and was carried out by the cybercriminal group ShinyHunters, also tracked as UNC6040 by Google’s Threat Intelligence Group.
The attackers obtained contact details and related notes for small and medium-sized businesses stored in Google’s customer relationship management system. According to Google, the incident stemmed from a voice-phishing (vishing) campaign rather than any flaw in Salesforce itself.
In the scheme, threat actors posed as IT support staff, persuading employees to install a maliciously modified version of Salesforce’s Data Loader tool. The victims, believing the calls to be legitimate, authorized a connected app that allowed the intruders broad access to sensitive records.
Google maintains the stolen information was “basic and largely publicly available” business data, but independent researchers report ShinyHunters claiming the haul included 2.55 million records. The company stressed that payment information and advertising platform data were unaffected.
The breach was active for “a small window of time” before being shut down. Google revoked access, performed a full impact review, added extra security measures, and began customer notifications in early August.
ShinyHunters is no stranger to high-profile intrusions in 2025, having been linked to attacks on Cisco, Qantas, several LVMH brands, Adidas, and Allianz Life. The group often employs a delayed extortion strategy, waiting months after theft before issuing ransom demands.
In this case, reports suggest the hackers requested 20 Bitcoins (around $2.3 million), but later dismissed the demand as a prank “for the lulz.”
This incident highlights the human side of cybersecurity risk, mirroring trends seen in the recent cyberwar incidents in Ukraine and Russia, and ClickFix and Scattered Spider campaigns.
