Google Salesforce Hack: Causes, Risks and Your Next Steps
At a Glance
- What happened: In June 2025, Google’s internal Salesforce system was compromised by the hacker group ShinyHunters (UNC6040)
- Data affected: Only basic SMB contact info such as company names, emails, phone numbers and notes. No passwords or financial data
- Attack method: Voice phishing (vishing), manipulated Salesforce Connected App, and custom Python tools
- Risks: Targeted phishing campaigns, reputational damage, possible extortion via data leak sites
- Key takeaway: Staff training, MFA, least privilege access and strict control of Connected Apps, ideally with professional compliance support
Background – What Happened?
In June 2025, an internal Salesforce CRM system at Google was hacked. Critically, this system is specifically used for managing customer and contact information of small and medium-sized businesses, making the breach particularly relevant for many companies. The attackers, known as ShinyHunters (UNC6040), gained access to contact information and sales notes.
Although the stolen information is considered basic and largely publicly accessible, it still carries significant potential for misuse. This incident is part of a larger, ongoing campaign targeting Salesforce databases. Other victims include Adidas, Qantas, Cisco, Allianz Life, Pandora, and several LVMH brands. The focus is on exploiting human weaknesses rather than technical vulnerabilities in the Salesforce platform.
Google acted quickly, cutting off unauthorized access within a short time. However, the company warned of possible follow-on risks, especially in connection with extortion tactics.
Table of Contents:
Attack Method: How Google’s Data Was Stolen
Social Engineering via Vishing
The hackers used voice phishing, calling employees and posing as internal IT support. Their goal was to get employees to authorize a manipulated version of the Salesforce Data Loader, often disguised as a legitimate app named “My Ticket Portal.”
Technical Execution
The attacks were carried out via Connected Apps using OAuth integration. In some cases, custom Python scripts were used to automate uploads and downloads and bypass security controls.
The operation was split between multiple clusters. UNC6040 handled the initial compromise, while UNC6240 may have been responsible for potential extortion and data release.
Extortion Risk via Data Leak Sites
Google believes ShinyHunters may be preparing to post the stolen data on a data leak site. These platforms are used to publish stolen data and pressure companies into paying ransom. Even seemingly harmless basic data can be leveraged for targeted follow-up attacks.
Who Are ShinyHunters and Who Else Have They Targeted?
ShinyHunters have been active in the cybercrime scene for years, known for breaching major brands and their cloud databases. Victims have included Ticketmaster, Santander, Dior, and Louis Vuitton.
Their strength lies in combining social engineering with deception, exploiting the cloud connectivity of tools like Salesforce. Platform vulnerabilities are rarely the target. The human factor is the main entry point.
Risks for Businesses: What Does This Mean for You?
- Phishing wave: Even basic data is enough to craft convincing phishing emails or calls
- Reputational damage: Public or misused data can erode trust with customers and partners
- Compliance risks: Gaps in access controls can lead to fines under regulations like GDPR, even if sensitive data was not exposed
- Financial loss: Incidents like this can cost millions in response measures, legal fees, and customer communications
Immediate Actions: What You Can Do Now
| Measure | Description |
| Employee Awareness | Regular training on social engineering, vishing and cloud security |
| MFA & Least Privilege | Multi-factor authentication everywhere, grant only necessary permissions |
| Control Connected Apps | Allow only vetted apps, perform regular app audits |
| Monitoring & Logging | Automatically monitor suspicious activity, especially in cloud platforms |
| Incident Response Plan | Simulate breach scenarios, define clear escalation paths and communication plans |
Case Study: Pandora
Pandora, a global jewelry retailer, was also hit in this attack wave. Names and email addresses were stolen. Passwords and payment details were untouched. Still, Pandora warned customers about potential phishing attempts and urged caution with unexpected communications.
Investigations and Law Enforcement
In June 2025, four suspected members of ShinyHunters were arrested in France. Law enforcement agencies from multiple countries are working together to dismantle the group’s infrastructure.
Despite these arrests, the attackers remain highly adaptive, with separate cells operating independently and evolving their methods.
FAQ – Quick Answers
Q: Were sensitive data like passwords stolen from Google?
A: No. Only basic company names, phone numbers, emails and notes were taken.
Q: Why target Salesforce?
A: Salesforce holds valuable customer data and is cloud-accessible. Attackers exploit human vulnerabilities like vishing rather than technical flaws.
Q: What is a data leak site?
A: A website where stolen data is published, often to pressure companies into paying ransom.
Q: How quickly should I respond to a suspected breach?
A: Immediately. Even a few hours’ delay can greatly increase the risk of further data theft or public release.
Conclusion: Where heyData Comes In
The Google Salesforce hack proves that even tech giants can fall victim to social engineering. Technical safeguards are only half the battle. The human factor remains the weakest link.
This is where heyData can help:
- Compliance landscape check with a digital audit
- GDPR-compliant processes and documentation
- Compliance and data protection training
- External data protection officers and security and compliance consulting
With heyData, you get not just tools, but expert guidance to make your organization resilient against attacks like this
Important: The content of this article is for informational purposes only and does not constitute legal advice. The information provided here is no substitute for personalized legal advice from a data protection officer or an attorney. We do not guarantee that the information provided is up to date, complete, or accurate. Any actions taken on the basis of the information contained in this article are at your own risk. We recommend that you always consult a data protection officer or an attorney with any legal questions or problems.