2 min read
Google suffers data breach in ongoing Salesforce data theft attacks
Gugu Ntsele Sep 9, 2025 7:09:37 AM

Google became the latest victim in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group, with one of its corporate Salesforce instances breached in June and customer data stolen.
What happened
In June, Google's corporate Salesforce instance was compromised by threat actors classified as 'UNC6040' in a voice phishing (vishing) social engineering attack. The attackers targeted Google employees to gain access to the Salesforce CRM system and downloaded customer data. The breached instance stored contact information and related notes for small and medium businesses. According to Google, the threat actor retrieved data during a small window of time before access was cut off. The stolen data was confined to basic and largely publicly available business information, including business names and contact details. Google has since responded to the activity, performed an impact analysis, and implemented mitigations.
The backstory
In June, Google had initially warned about threat actors they classify as 'UNC6040' targeting companies' employees in voice phishing social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying ransoms to prevent data leaks. Google later updated their warning to reveal they had also fallen victim to the same attack method.
Going deeper
The attacks are attributed to ShinyHunters, a notorious threat actor group that has been active for years and responsible for breaches at PowerSchool, Oracle Cloud, the Snowflake data-theft attacks, AT&T, NitroPDF, Wattpad, MathWay, and many others. ShinyHunters claimed to have breached many Salesforce instances with attacks still ongoing. The threat actor stated they breached a trillion-dollar company and were considering leaking the data rather than attempting extortion, though it's unclear if this refers to Google. Other impacted companies include Adidas, Qantas, Allianz Life, Cisco, and LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. The extortion method involves demanding ransom payments via email to prevent public data leaks.
What was said
In Google's brief update, the company stated: "In June, one of Google's corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations."
Google further explained: "The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off."
Regarding the nature of the stolen data, Google noted: "The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details."
In the know
Voice phishing (vishing) is a social engineering attack method where threat actors use phone calls to manipulate employees into revealing sensitive information or providing system access. Unlike traditional phishing emails, vishing attacks rely on direct verbal communication to build trust and urgency, making them particularly effective against human targets. In the context of Salesforce CRM systems, these attacks specifically target employees with access to customer relationship management platforms that contain valuable business and customer data.
Why it matters
This breach shows a vulnerability in cloud-based CRM systems that many healthcare organizations rely on for patient relationship management and business operations. The fact that even Google, a technology company with substantial security resources, fell victim to these social engineering attacks demonstrates that no organization is immune to human-targeted threats.
FAQs
Why are cloud-based CRM systems like Salesforce attractive to hackers?
They often hold centralized, high-value customer and business information accessible from anywhere.
Could this breach have exposed sensitive healthcare data if Google were a healthcare provider?
Yes, CRM records for healthcare organizations could contain patient or business associate details subject to HIPAA.
How does voice phishing differ from traditional phishing emails?
Vishing uses real-time phone conversations to build trust and urgency, making it harder for victims to detect.
Can multi-factor authentication stop vishing attacks completely?
It greatly reduces risk but cannot fully prevent breaches if attackers trick employees into approving access.