Loading...
Once Google reveals that it has been hacked, a shudder runs through all marketers, administrators, and C-suite executives. Quietly on August 5, 2025, the tech giant revealed that its attackers had drained customer data of one of its corporate Salesforce instances.
Approximately 2.5 million Google Ads prospect records, including names, emails, phone numbers, and sales notes, were exfiltrated during a brief data transfer window.
This was not a zero-day exploit, nor an improperly configured bucket. It was mass social engineering, and well, it should serve as a call-to-arms to those who leave their gold-standard CRMs on autopilot.
While Google was publishing detailed research about how hackers are targeting Salesforce systems, they got hit by the same attack.
This is the kind of irony that makes me pay attention. When the company that wrote the book on modern cybersecurity falls victim to a simple phone call, there’s something bigger going on here.
The ShinyHunters group breached Google’s Salesforce instance containing 2.5 million Google Ads prospect records. They demanded $2.3 million in Bitcoin (which they later said was “for the lulz”). This wasn’t a technical exploit. It was a voice call that tricked a Google employee into authorising a fake app.
| Key Fact | Detail |
| Breach window | Early June 2025 |
| Public disclosure | August 5 (official Google blog update) |
| Records exposed | ≈ 2.5 million SMB prospect entries |
| Threat actor | ShinyHunters (UNC6040 / UNC6240) |
| Primary vector | Voice-phishing (vishing) + malicious Salesforce Data Loader app |
| Ransom demand | 20 BTC (~ $2.3 M) in one extortion email |
How a Phone Call Brought Down Google’s Defences?
The attack itself was almost embarrassingly simple. Someone from ShinyHunters (tracked by Google as UNC6040) called a Google employee, pretended to be IT support, and convinced them to authorise what looked like a legitimate Salesforce Data Loader application.
But it wasn’t the real Data Loader. It was a malicious version with a slightly different name, something like “My Ticket Portal” instead of the official app.
The employee entered an 8-digit authorisation code, and just like that, the attackers had full access to Google’s Salesforce instance containing prospect data for small and medium businesses. They used custom Python scripts to quietly extract data in small chunks at first, then ramped up to bulk downloads once they mapped out the database structure.
The staff member gave an 8-digit authentication code, and this way, the malefactors obtained absolute access to Google Salesforce with data about prospects of small and medium enterprises. By using Python programs, they were able to siphon data off quietly in small pieces at first and escalated to bulk transfer after they fathomed the database design.
In June 2025, an initial breach occurred, leading to data exfiltration. On August 5, Google publicly disclosed the incident, followed by the completion of customer notifications on August 8, and at present, the hacking group ShinyHunters continues to target other companies using the same method.
What Data Got Stolen?
Google claims that the obtained information was considerably public information, but that is market-talk.
Here is what walked out the door:
- Names of businesses and contact details
- Phone numbers and email addresses
- Observations and reminders on sales
- About 2.5 million in total records
It is now true that Google is correct in the context that personal business contact information is frequently published. Sure, 2.5 million records of sales conversation context? That is a goldmine to fraudsters. This information forms the basis of very targeted phishing attacks, business email compromise (BEC) attacks, and competitive intelligence.
The $2.3 Million Bitcoin Demand
After stealing the data, ShinyHunters sent Google an extortion email demanding 20 Bitcoin, approximately $2.3 million at the time.
But here’s where it gets weird.
When asked about it later, the group told reporters: “I don’t care about ransoming Google anyway, I just sent them a bogus email for the lulz of it”.
Whether that’s true or just posturing after the fact, I don’t know. What I do know is that other companies in this campaign have already paid. BleepingComputer reports that one victim paid 4 Bitcoin (around $400,000) to prevent their data from being leaked.
This Isn’t Just About Google
The recent Google breach is just one piece of a massive, ongoing campaign that has been targeting major companies since March 2025, with confirmed victims including Adidas, LVMH brands such as Louis Vuitton, Dior, and Tiffany & Co, Chanel, Qantas Airways, Allianz Life (impacting 1.4 million customers), Cisco, and multiple divisions of Coca-Cola.
What’s scary is how consistent the attack method is. Every single breach follows the same playbook:
- Voice call to an employee posing as IT support
- Social engineering to authorise a malicious Salesforce app
- Bulk data extraction using modified tools
- Extortion demand months later
Also Read: Google Gemini Vulnerability Allows AI-Generated Phishing via Hidden HTML Prompts
Why Vishing Works So Well?
Voice phishing (vishing) isn’t new, but it’s having a moment for good reason.
Remote work broke traditional verification methods. When your IT support team could be calling from anywhere, it’s harder to verify who’s actually on the phone.
MFA fatigue is real. Users are so used to approving authentication requests that they don’t scrutinise each one carefully.
IT support has elevated privileges. Social engineering works because attackers target people who have the permissions they claim to need.
English-speaking attackers sound legitimate. UNC6040 specifically targets English-speaking branches of multinational companies because their operators are fluent and understand business terminology.
Google’s research shows these attackers even use automated phone systems to gather intelligence about company structures, internal applications, and current IT issues before making their pitch.
Also Read: Beware: New Phishing Attacks Exploit Google’s DKIM to Trick Gmail Users
What does this mean for Your Business?
If Google can get hit by this attack, your company can too. The attack succeeds because it exploits human trust, not technical vulnerabilities. All the firewalls and endpoint protection in the world won’t help if your employees authorise malicious applications.
Immediate actions you should take:
Audit your Salesforce Connected Apps Right Now:
Go to Setup > Connected Apps and review every single integration. If you don’t recognise something, investigate immediately.
Restrict who can Approve New Connected Apps:
Don’t let regular users authorise integrations. This should require admin approval.
Implement IP Restrictions:
Limit Salesforce access to known corporate networks and trusted VPN ranges to block TOR and commercial VPN access.
Train your IT Support Team specifically on Vishing:
They’re the primary targets because they have the permissions attackers need.
Set Up Monitoring for Bulk Data Export:
Salesforce Shield can alert you when someone downloads unusually large amounts of data.
Conclusion
This attack represents a shift in how cybercriminals operate. Instead of hunting for zero-day exploits, they’re exploiting the human layer of cloud security. SaaS applications like Salesforce are designed to integrate with external tools; that’s their strength. But it’s also their weakness when employees can be tricked into approving malicious integrations.
Contact us today for expert cybersecurity consulting to help secure your organisation before attackers strike.
