What Happened?

In June 2025, hackers compromised one of Google’s corporate Salesforce instances, giving them access to contact information and related notes on small and medium-sized businesses. Google disclosed the breach in early August after detecting UAE6040 activity tied to the ShinyHunters group.

The attackers retrieved data during a small window before Google cut off access. The stolen data was described as “basic and largely publicly available”—including business names and contact details—with no sensitive personal or financial information involved.

Who’s Behind the Attack?

The group responsible is known as ShinyHunters, officially tracked by Google as UNC6040. This group specializes in vishing—voice phishing attacks. They impersonate IT staff and manipulate victims into installing a malicious version of Salesforce’s Data Loader via a fake connected-app setup page, granting the attackers unauthorized access.

These socially engineered campaigns have also hit companies like Adidas, Qantas, Allianz Life, Cisco, Pandora, Louis Vuitton, Dior, and Chanel, among others.

What Google Did

Upon realization, Google responded by:

• Cutting off unauthorized access

• Conducting an impact analysis

• Implementing mitigation steps

• Monitoring for future extortion attempts, including the possibility of a data leak site (DLS) being used to pressure victims.

What Makes This Incident Significant

• Human element of cybersecurity: No technical vulnerability was exploited. Instead, attackers exploited human trust through targeted voice phishing.

• High-profile victim: Google was investigating these methods even as it fell victim, highlighting how sophisticated and deceptive the campaign was.

• Broader trend in cybercrime: Many prominent companies have been targeted using identical tactics—social engineering aimed at Salesforce CRM systems.

Key Takeaways — How Organizations Can Protect Themselves

1. User training on vishing threats — Teach employees to be suspicious of unsolicited IT-related calls or requests.

2. Enable strict MFA policies — Don’t rely on voice-only authentication.

3. Implement the principle of least privilege — Limit access rights for tools like Data Loader.

4. Enforce connected-app governance — Use IP restrictions, approval workflows, and monitoring to detect anomalies.

5. Use advanced auditing tools — Solutions like Salesforce Shield can help detect unusual data exports.

6. Develop incident response plans — Prepare in advance for potential extortion or data leak scenarios.

The Salesforce–Google hack is a powerful reminder: no organization—no matter how large—is immune to cyber threats that exploit human behavior rather than software vulnerabilities.