Google Salesforce breach due to voice phishing

Google has confirmed that its corporate Salesforce instance was breached in June 2025 by the cybercriminal group ShinyHunters (UNC6040). The attack, disclosed on August 5, resulted in the exposure of contact information and business notes for small and medium-sized enterprises stored in the company's CRM platform.

Google Salesforce breach due to voice phishingGoogle Salesforce breach due to voice phishing

According to Google’s Threat Intelligence Group, attackers used advanced voice phishing (vishing) tactics to impersonate IT support staff, tricking employees into granting system access. They exploited a malicious version of Salesforce’s Data Loader application, leading employees to authorize a fraudulent connected app that allowed data extraction.

Google Salesforce breach due to voice phishingGoogle Salesforce breach due to voice phishing

Millions of Records Potentially Exposed Security researchers estimate that around 2.55 million records were compromised, although Google stated the data was mostly basic and publicly available, including business names and contact details. Importantly, there was no breach of payment data or impact on Google Ads or other advertising tools. Google quickly contained the breach, cutting off access and conducting a full impact assessment, notifying affected customers by August 8.