Cybersecurity Alert: Google Impacted by Salesforce Hack

Recent reports confirm that Google experienced a data breach involving one of its corporate Salesforce instances in June 2025. The incident is part of a broader, ongoing campaign attributed to the cybercriminal group UNC6040 (also known as ShinyHunters), which specializes in voice phishing (vishing) attacks targeting Salesforce environments for data theft and extortion. 

Here’s a summary of the situation:

• Nature of the Attack: The attackers employed vishing techniques, impersonating IT support to trick Google employees into granting access to a malicious Salesforce Data Loader application. This allowed them to bypass security controls and extract data.
• Impacted Data: The breach affected a Salesforce instance used to manage contact information and notes for Google Ads customers, specifically small and medium-sized businesses. The stolen data included basic business contact information, such as names, phone numbers, and related notes, much of which was reportedly already publicly available.
• No Impact on Sensitive Data: Google stated that no payment information, Google Ads account data, or data in other Google Ads products (like Merchant Center or Google Analytics) was affected. Google systems were not accessed, and there was no impact on Google Cloud.
• Response and Mitigation: Google detected the breach internally, revoked attacker access, and implemented additional security measures. They began notifying affected customers in early August 2025, completing email alerts by August 8, 2025.
• Salesforce’s Stance: Salesforce released an advisory emphasizing that the attacks did not exploit vulnerabilities in their platform but rather relied on social engineering. They urged customers to strengthen security posture and review connected applications and permissions.
• Broader Campaign: Google is just one of several high-profile organizations impacted by this ongoing Salesforce-related attack campaign. Other victims include Adidas, Cartier, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas Airways, Air France–KLM, Allianz Life, Cisco, and Pandora.
• Potential for Extortion: UNC6040/ShinyHunters is known for using stolen data for extortion, and there are concerns they may create a data leak site to pressure victims. They reportedly demanded 20 Bitcoins (around $2.3 million) from Google, though they later claimed this was a “prank.”