Google's Data Breach: Cyber Disaster in the Making as Salesforce Hack Sparks Concern

Google has confirmed a data breach involving one of its Salesforce databases, compromised in June 2025 by the hacking group ShinyHunters, also known as UNC6040.

The breach was part of a wider voice phishing campaign targeting Salesforce users, and resulted in the exposure of basic business information belonging to small and medium-sized enterprises.

Although Google has played down the severity of the incident, the breach has fuelled growing concern over corporate cybersecurity gaps and the risk of future extortion attempts. It also raises wider questions about data protection for both companies and individuals.

Details of the Salesforce Breach

In June 2025, hackers infiltrated a Google Salesforce instance used to store contact details and notes for small and medium-sized businesses.

Google's Threat Intelligence Group (GTIG) reported that the attackers, posing as IT support, used voice phishing to trick an employee into approving a malicious version of Salesforce's Data Loader app.

This allowed data exfiltration of basic business information, such as company names and contact details, during a 'small window of time' before access was revoked.

Google stated, 'The data retrieved was confined to largely publicly available information,' and confirmed no sensitive personal or financial data was compromised.

The breach is linked to a campaign affecting many organisations, including Google itself, Louis Vuitton, Chanel, Alliaz, Adidas, Qantas, and Pandora, with hackers exploiting Salesforce's connected app functionality to access and steal data.

How the Hackers Operated

The ShinyHunters group, known for high-profile data thefts, employed sophisticated social engineering tactics.

Attackers impersonated IT personnel, contacting English-speaking employees at multinational firms via phone calls to guide them to a fake Salesforce setup page.

Victims were tricked into entering an eight-digit code, linking a malicious Data Loader app to their Salesforce environment.

This granted hackers 'significant capabilities to access, query, and exfiltrate sensitive information,' with some attacks enabling lateral movement to platforms like Okta and Microsoft 365.

Google noted that the attackers used Mullvad VPN IPs and TOR to mask their activities, complicating detection.

Salesforce clarified, 'There's no indication the issue stems from any vulnerability inherent to our services,' attributing the breach to user manipulation rather than platform flaws.

An X post from @TweetThreatNews on 7 August 2025 stated, 'Google confirms Salesforce database breach by ShinyHunters via social engineering and vishing, exposing business info and demanding Bitcoin extortion.'

Wider Implications and Concerns

While Google claims the stolen data was limited, experts warn of significant risks. Ben McCarthy, a cybersecurity engineer, noted, 'A key issue is the personal information being accessed in these attacks, such as names and dates of birth, is information that can't be changed.'

The breach's timing, months before disclosure, raises questions about transparency, with Google not confirming whether a ransom demand was received.

Reports suggest ShinyHunters may launch a data leak site to pressure victims, with one company reportedly paying £300,000 ($400,000) in Bitcoin to prevent leaks.

An X post from @Hackerslord_24 on 6 August 2025 warned, 'Hackers accessed contact data for small biz clients in June—now they're back, threatening victims with 72-hour bitcoin extortion demands.'

The incident underscores vulnerabilities in cloud-based platforms, with fears that stolen data could fuel further phishing scams or identity theft. Businesses are urged to enhance multi-factor authentication, restrict API permissions, and train staff to recognise vishing tactics to prevent future breaches.

The Google breach, while contained, highlights the growing threat of social engineering in corporate cybersecurity.

As ShinyHunters continues targeting Salesforce users, the incident serves as a wake-up call for organisations to bolster defences, with potential ripple effects for data privacy and trust in cloud services.