On August 9, 2025, Google confirmed a data breach affecting one of its Salesforce CRM instances, which contained prospect information for Google Ads customers. The attack, carried out in June 2025 by the well-known threat group ShinyHunters (also linked to UNC6040 and Sp1d3rHunters), leveraged sophisticated voice phishing (vishing) tactics to gain unauthorized access.
How the Attack Happened
Attackers deployed a maliciously modified Salesforce Data Loader tool, tricking Google employees by posing as IT support staff. Once access was granted, they exfiltrated sensitive CRM data including business names, phone numbers, and sales team notes. While no payment information or Google Ads account credentials were compromised, ShinyHunters claims to have stolen approximately 2.55 million records.
The group also hinted at collaborating with Scattered Spider, suggesting a coordinated campaign targeting CRM environments. Reports indicate that a ransom of 20 Bitcoin (around $2.3 million) was demanded but later dismissed by the attackers.
Impact Assessment
- Data Exposed: Business names, phone numbers, and internal sales notes
- Volume: Up to 2.55 million records (unverified)
- Systems Not Affected: No payment or Google Ads account data compromised
- Immediate Actions Taken: Access revoked, investigation launched, notifications completed by August 8, 2025
Attack Techniques Used
- Vishing: Impersonating IT staff to gain employee trust
- Malicious Tools: Unauthorized Salesforce Data Loader for large-scale data extraction
- Collaboration: Multi-group coordination to increase attack success rate
Why This Matters Across Industries
While this breach targeted a tech giant, industries like financial services, healthcare, retail, manufacturing, and government are equally at risk. CRM systems often hold valuable contact and operational data that can be exploited for phishing, fraud, or competitive intelligence gathering. The incident underscores the need for stronger controls around CRM integrations, user training, and data export monitoring.
Proactive Security Measures for Organizations
- Restrict Third-Party Tool Use: Only allow vetted, whitelisted applications in CRM environments
- Enhance Employee Awareness: Train teams to recognize social engineering and vishing attempts
- Monitor Data Activity: Implement alerts for unusual data export patterns
- Incident Response Preparedness: Establish clear playbooks involving IT, legal, compliance, and communications teams
- Legal & Compliance Coordination: Engage cyber-legal counsel early in the response process
Conclusion
The Google Salesforce breach is a stark reminder that even the world’s largest organizations are not immune to targeted social engineering and tool-based attacks. For industries managing sensitive customer or operational data, proactive defenses, strict integration policies, and vigilant user awareness are critical. Breaches can happen in minutes – but strong preparation can reduce impact and protect trust.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
We also specialize in CRM system hardening, Salesforce security audits, social engineering resilience programs, and compliance-driven incident response planning. Our mission is to help organizations detect threats early, respond effectively, and maintain operational and reputational integrity.
Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay updated and cyber safe.