Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Google has confirmed that threat actors successfully breached its corporate Salesforce database and that company data was stolen in the process.
The tech giant said the incident occurred in June 2025, but began notifying affected users on 8 August.
According to Google, the threat actors launched a malicious version of Salesforce’s Data Loader, which they fooled staff into authorising using phishing phone calls where the hackers posed as IT support personnel. The application then allowed the threat actors to access the database and exfiltrate data.
Speaking with Cyber Security News, Google said the information stolen in the breach is “basic and largely publicly available business information, such as business names and contact details”.
It also said that payment data had not been accessed and that Google Ads data, Google Analytics, Merchant Centre and other advertising products had not been impacted.
The tech giant also said the threat actors only had a small window of access and were cut off quickly. The company added that it had completed a comprehensive impact analysis and bolstered its security.
Google Threat Intelligence identified the group as UNC6040, better known as ShinyHunters, which BleepingComputer has already identified as having been behind a widespread Salesforce instance campaign.
Regarding Google, ShinyHunters reportedly claims to have stolen 2.55 million data records.
BleepingComputer said that ShinyHunters confirmed with the publication that it is privately contacting these companies for ransom payments and that it will mass publish or sell the data of all companies that don’t comply, something the group has done before during their Snowflake cyber campaign.
The group also said its Salesforce threat campaign is ongoing, meaning the number of victims is likely to rise. Companies should, therefore, review their Salesforce privacy options and monitor access to ensure databases are secure.
Salesforce has confirmed that its own network has not been breached, but that individual instances are being accessed.
“Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform. While Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their data safe – especially amid a rise in sophisticated phishing and social engineering attacks,” Salesforce told BleepingComputer.
“We continue to encourage all customers to follow security best practices, including enabling multifactor authentication, enforcing the principle of least privilege and carefully managing connected applications.”
A number of organisations have so far fallen victim to the Salesforce breach campaign, including Allianz Life, Qantas, Chanel, Pandora and adidas.
Be the first to hear the latest developments in the cyber industry.
