Google has officially confirmed that one of its corporate Salesforce instances was compromised in June 2025 by the cybercriminal group ShinyHunters, known in security circles as UNC6040. The attack, revealed publicly on August 5, led to the exposure of contact information and related business notes for small and medium-sized enterprises stored within the company’s customer relationship management platform.
Google’s Threat Intelligence Group said the breach occurred after attackers used advanced voice phishing (vishing) tactics to impersonate IT support staff and trick employees into granting system access. The attackers exploited a malicious version of Salesforce’s Data Loader application, guiding targeted employees to authorize a fraudulent connected app. This provided them with the ability to extract sensitive CRM data.
FCRF Launches India’s Premier Certified Data Protection Officer Program Aligned with DPDP Act
Millions of Records Potentially Exposed
Security researchers believe approximately 2.55 million records were taken during the breach, although Google emphasized the data was “basic and largely publicly available,” including business names and contact details. The company also stressed there was no compromise of payment data or impact on Google Ads, Merchant Centre, Google Analytics, or other advertising tools. The breach was contained quickly after detection, with Google cutting off access, conducting a full impact assessment, and adding further security layers. The company began notifying affected customers in early August, completing the process by August 8.
Industry experts note that ShinyHunters has been linked to multiple high-profile breaches in 2025, targeting brands such as Cisco, Qantas, Adidas, LVMH Group companies, and Allianz Life. Their operations often follow a delayed extortion model, demanding Bitcoin ransoms weeks or months after initial infiltration. In this case, the group allegedly requested 20 Bitcoins (about $2.3 million (approximately Rs. 20 Crores)) from Google, later claiming it was “for the lulz” rather than a serious extortion attempt.
The incident highlights the persistent threat of social engineering in corporate cybersecurity, with attackers increasingly focusing on human weaknesses rather than purely technical vulnerabilities.