Google confirmed a significant data breach involving unauthorized access to one of its corporate Salesforce CRM instances. This CRM system stored contact details and related notes for small and medium-sized businesses interested in Google Ads services. The breach is part of a broader wave of sophisticated cyberattacks conducted by a threat group identified as UNC6040, also known as ShinyHunters, who use voice phishing (vishing) and advanced social engineering techniques to target cloud systems like Salesforce.
Incident Overview: The Google Ads CRM Data Breach
- Date of Incident: June 2025
- Affected System: Google corporate Salesforce CRM used for potential Google Ads customers
- Data Exposed: Business names, phone numbers, and sales-related notes recorded by Google sales agents
- Non-Impacted Data: No payment or financial information, and no data from Google Ads accounts, Merchant Center, or Google Analytics was affected
- Number of Records: Approximately 2.55 million records (may include duplicates)
- Threat Actor: ShinyHunters (UNC6040), known for targeting Salesforce cloud environments
- Response: Google promptly cut off unauthorized access, performed impact analysis, and implemented ongoing monitoring
- Notification: Affected customers and businesses were notified by early August 2025
Technical Background: Voice Phishing and Attack Methods (From Google Cloud Threat Intelligence)
- The attackers used voice phishing (vishing) to socially engineer employees with access to Salesforce environments.
- Victims were tricked into authorizing malicious connected applications, such as modified versions of Salesforce Data Loader, granting attackers extensive access to data.
- The attack infrastructure included VPNs and TOR to evade detection and attribution.
- Extortion attempts often follow the data breach months later, with ransom demands via calls or emails using the ShinyHunters brand.
- Google emphasizes layered security defenses: strict access controls, monitoring connected apps, IP restrictions, Salesforce Shield, and universal multi-factor authentication (MFA).
- The campaign targets IT support personnel and administrators through sophisticated social engineering techniques.
Summary Table: Google Data Breach and Attack Campaign
| Aspect | Details |
|---|---|
| Breach Date | June 2025 |
| Affected System | Google corporate Salesforce CRM |
| Data Exposed | Business names, phone numbers, sales notes |
| Payment/Ads Data Impact | None |
| Records Compromised | Approximately 2.55 million |
| Threat Actor | ShinyHunters (UNC6040) |
| Attack Method | Voice phishing (vishing), malicious Salesforce connected apps |
| Infrastructure Used | VPNs, TOR for anonymity |
| Extortion Attempts | Ransom demands months after initial breach |
| Security Recommendations | Access controls, app management, IP restrictions, MFA, monitoring |
| Notification Completed | Early August 2025 |
What This Means for Customers and Businesses
- The breach involved publicly available business information, reducing risks of privacy or financial theft but increasing chances of targeted phishing or fraud using exposed contacts.
- Businesses should remain vigilant against suspicious calls, emails, or messages that could leverage the compromised contact data.
- This incident highlights the critical need for strong security awareness, especially for IT and support teams who can be targeted by voice phishing.
- Companies using cloud CRM platforms like Salesforce must enforce layered security controls, including monitoring for unauthorized connected apps and applying universal multi-factor authentication.
Official Google Source
For the most authoritative and technical insights, Google’s Threat Intelligence Group detailed this incident and the attacker methods in their official blog post:
