In June 2025, Google experienced a significant data breach when the cybercriminal group ShinyHunters, also known as UNC6040, infiltrated one of its corporate Salesforce instances. This breach led to the unauthorized access of contact information and related notes for small and medium-sized businesses stored within Google’s customer relationship management system.
Details of the Breach
The attackers employed sophisticated voice phishing, or vishing, techniques. By impersonating IT support personnel, they deceived Google employees into granting system access. This social engineering tactic involved guiding victims to authorize what appeared to be a legitimate connected application, specifically a malicious version of Salesforce’s Data Loader. Once access was obtained, the cybercriminals could extract sensitive data from the system.
Scope of the Compromised Data
According to Google’s analysis, the compromised information primarily consisted of basic business details, such as business names and contact information. While Google emphasized that the exposed data was largely publicly available, security researchers reported that ShinyHunters claimed to have obtained approximately 2.55 million data records from the breach. Importantly, Google assured that payment information remained secure and that there was no impact on Google Ads data, Merchant Center, Google Analytics, or other advertising products.
Google’s Response and Mitigation Efforts
Upon discovering the breach, Google acted swiftly to mitigate its impact. The company:
– Terminated the attackers’ access immediately.
– Conducted a comprehensive impact analysis to understand the extent of the breach.
– Implemented additional security measures to prevent future incidents.
– Notified affected customers, completing email alerts by August 8, 2025.
The ShinyHunters Group
ShinyHunters has been linked to several high-profile data breaches in 2025, targeting major organizations such as Cisco, Qantas, LVMH brands (including Louis Vuitton, Dior, and Tiffany & Co.), Adidas, and Allianz Life. The group is known for employing delayed extortion tactics, often waiting months after the initial data theft before demanding ransom payments. In Google’s case, ShinyHunters reportedly demanded 20 Bitcoins (approximately $2.3 million), though they later claimed this was sent for the lulz rather than as a serious extortion attempt.
Implications and Recommendations
This incident underscores the growing threat posed by sophisticated social engineering attacks. Organizations are advised to:
– Enhance employee training to recognize and respond to phishing and vishing attempts.
– Implement multi-factor authentication (MFA) to add an extra layer of security.
– Regularly audit and monitor access to sensitive systems.
– Limit third-party access to only what is necessary for business operations.
By adopting these measures, companies can better protect themselves against similar cyber threats in the future.
