Summary

Google has acknowledged a cybersecurity breach impacting one of its corporate Salesforce systems. The intrusion, attributed to the cybercriminal group ShinyHunters (tracked internally as UNC6040), occurred in June 2025 and involved the extraction of basic business contact information, with user notifications completed by August 8, 2025.

What Happened

• Incident Timing: In June 2025, ShinyHunters infiltrated a Google Salesforce instance used to manage contact details and notes for small and medium-sized businesses.

• Attack Method: The breach was executed via voice phishing (vishing)—attackers impersonated IT support staff to trick employees into authorizing a malicious Salesforce Data Loader application. This granted the attackers access and allowed data exfiltration.

• Stolen Data: The compromised data were described as “basic and largely publicly available business information,” including business names, phone numbers, and related agent notes. ShinyHunters claims to have obtained around 2.55 million records, although Google reports the breach was contained quickly.

Google's Response

• On August 5, 2025, Google publicly confirmed the breach, and notifications to affected parties were completed by August 8, 2025. Users were informed that payment data and core advertising platforms (Ads, Merchant Center, Analytics) remained unaffected.

• Google's Threat Intelligence Group (GTIG) emphasized that the breach was limited, with access revoked soon after detection.

Broader Context

• ShinyHunters / UNC6040 is a well-known cybercriminal entity responsible for several high-profile attacks this year, including breaches at Qantas, Allianz Life, Louis Vuitton, Pandora, AT&T, Santander, and Ticketmaster.

• These campaigns frequently follow data theft with extortion demands, sometimes weeks or months later. A related threat cluster, UNC6240, is known to initiate extortion and prepare data leak sites to pressure victims.

Why It Matters

• This incident demonstrates that even leading tech organizations like Google remain vulnerable to social-engineering tactics.

• The breach underscores the importance of human-focused defenses (like training, vishing awareness, and strict controls over connected apps) in cloud environments.

• SMB vulnerability exposure may be exploited for targeted phishing campaigns or as part of broader attack strategies by adversaries.

Key Takeaways

• Voice phishing remains a potent tool for breaching corporate systems—even for companies with advanced security infrastructure.

• Attackers are shifting their tactics from relying solely on technical exploits to leveraging psychological manipulation and app-based abuses of trusted platforms like Salesforce.

• Organizations should implement robust safeguards: multi-factor authentication, least-privilege access, app consent reviews, and employee training on recognizing vishing attempts.

• Even “limited impact” breaches can become significant in aggregate, especially when they involve business contacts and pave the way for future threats.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.