Google Confirms A Data Breach

Uploaded on 2025-08-11 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Google has announced a significant data breach that has hit its corporate Salesforce database, and Google sent email notifications to the affected users on August 8, 2025.

Earlier Google had said that one of its corporate Salesforce instances was compromised in June 2025 by the notorious cyber criminal group known as ShinyHunters, officially tracked as UNC6040 by the Google Threat Intelligence Group.

“We believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS).

“These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches. We continue to monitor this actor and will provide updates as appropriate,” said Google.

Google Threat Intelligence Group has said that the attacks targeted English-speaking employees working for Salesforce clients and used voice phishing to trick the employee into connecting a modified version of Salesforce's Data Loader application.

The English-speaking employees received phone calls from someone claiming to be IT support personnel, telling the targeted employee to accept a connection to the client application known as Salesforce Data Loader.

The breach exposed contact information and related notes for small and medium businesses stored in Google’s customer relationship management system.

Google says the exposed information includes business names, phone numbers, and "related notes" for a Google sales agent to contact them again.

The cyber attack was staged through sophisticated voice phishing techniques, where threat actors impersonated IT support personnel to deceive Google employees into granting system access.

This social engineering approach has become increasingly prevalent, with attackers manipulating human trust rather than exploiting technical vulnerabilities in the Salesforce platform itself.

According to Google’s analysis, the attackers gained access through a malicious version of Salesforce’s Data Loader application. During fraudulent phone calls, victims were guided to authorize what appeared to be a legitimate connected app, inadvertently granting the cyber criminals extensive capabilities to access and extract sensitive data.

Google has described the stolen information as “basic and largely publicly available business information, such as business names and contact details”.

However, security researchers report that ShinyHunters claimed to have obtained approximately 2.55 million data records from the breach.

Google emphasised that the breach was contained within “a small window of time before the access was cut off”.

Google Immediately:

Terminated the attackers’ access upon discovery
Conducted a comprehensive impact analysis
Implemented additional security mitigations
Began notifying affected customers

Notification began in early August, with Google completing email alerts to all affected users by August 8, 2025. The company assured users that payment information remained secure and that there was no impact on Google Ads data, Merchant Center, Google Analytics, or other advertising products.

This attack is part of a broader campaign by ShinyHunters, also known as Scattered Spider, a cyber criminal collective that has targeted numerous high-profile organisations throughout 2025. The group has been linked to breaches at major companies including Cisco, Qantas, LVMH brands (Louis Vuitton, Dior, Tiffany & Co.) Adidas and Allianz Life.

ShinyHunters typically employs a delayed extortion model, waiting months after the initial data theft to demand ransom payments. The group has been observed demanding payments in Bitcoin within 72-hour ultimatums, often claiming affiliation with other notorious hacking collectives to increase pressure on victims.

According to reports, ShinyHunters demanded 20 Bitcoins (approximately $2.3 million) from Google, though the threat actor later claimed this was sent “for the lulz” (apparent amusement), rather than as a serious extortion attempt.

You Might Also Read:

Scattered Spider Attacks - Four Arrested:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.