In June 2025, Google’s corporate Salesforce instance was compromised by the hacking group ShinyHunters (UNC6040), the company revealed on August 5. The breach exposed contact information and related business notes of small and medium-sized businesses from its customer relationship management system. 

According to Google’s Threat Intelligence Group, attackers used advanced voice phishing (vishing) to pose as IT support and deceive employees into granting access. They deployed a malicious Salesforce Data Loader variant, persuading staff to approve a fake connected app, which allowed the extraction of sensitive CRM data. 

Potential Exposure of Millions of Records Reported  

Around 2.55 million records were taken in the breach, according to security researchers. Google stated the stolen data was mostly public, such as business names and contact information, and stressed no compromise to payment data or services like Google Ads, Merchant Centre, or Analytics. The company quickly contained the attack, blocked access, reviewed the impact, reinforced security, and notified all affected customers by August 8. 

ShinyHunters, linked to multiple high-profile breaches in 2025 affecting Cisco, Qantas, Adidas, LVMH Group companies, and Allianz Life, often employs a delayed extortion method—demanding Bitcoin long after initial access. For Google, they allegedly asked for 20 Bitcoins (roughly $2.3 million/₹20 crore) before saying the demand was just “for the lulz.” 

The event serves as a reminder that social engineering continues to pose a serious risk, with human factors often prioritized over technical exploits by cybercriminals.