Google has officially confirmed that a recent data breach impacted one of its Salesforce CRM instances, exposing information linked to potential Google Ads customers. The incident was tied to the infamous ShinyHunters group, known for large-scale data theft and extortion schemes.
What Happened in the Breach
In a data breach notification, Google revealed that basic business contact information—including business names, phone numbers, and related sales notes—was exposed. These details were stored in a Salesforce CRM instance used for communicating with prospective Ads clients.
Google emphasized that no payment information or active Ads account data (including Merchant Center, Google Analytics, and other products) was compromised. However, the attackers reportedly stole approximately 2.55 million records, although duplicates may exist.
Who is Behind the Attack?
The breach has been linked to ShinyHunters, a group that recently began collaborating with the hacking collective known as Scattered Spider. Together, they now operate under the alias “Sp1d3rHunters”.
According to the attackers, Scattered Spider specializes in initial access operations, often through social engineering—tricking employees into providing login credentials or authorizing malicious Salesforce Data Loader applications. Once inside, ShinyHunters exfiltrates the stolen data and attempts to extort the targeted organization.
How the Attack Unfolded
In this case, attackers reportedly:
- Used social engineering to compromise employee accounts.
- Linked malicious OAuth apps to Salesforce environments.
- Downloaded entire CRM databases.
- Issued extortion demands, in this instance 20 Bitcoins (~$2.3 million) to Google.
Interestingly, the group claimed that their ransom demand to Google was “just for fun”, suggesting they did not expect payment. Nonetheless, the stolen data remains at risk.
A Broader Salesforce Targeting Trend
This breach is part of a wider wave of attacks on Salesforce customers that began earlier in 2025. The Google Threat Intelligence Group (GTIG) reported such campaigns in June, warning businesses to tighten security.
In recent months, ShinyHunters has adopted custom Python-based tools to streamline Salesforce data theft, bypassing the older Data Loader method. This evolution underscores the growing sophistication of CRM-targeted cyberattacks.
Conclusion
While Google states that core Ads services remain unaffected, the incident highlights a critical reality—supply chain vulnerabilities in CRM platforms can lead to significant data exposure even for tech giants. Organizations using Salesforce or similar tools should implement strict access controls, review OAuth app permissions, and train staff against phishing to prevent falling victim to similar breaches.
