Google has confirmed that it was the target of a cyberattack in June, when a hacker group linked to ShinyHunters accessed one of its Salesforce CRM databases. The company disclosed the breach as part of a broader campaign affecting around 20 organizations across Europe and the Americas. According to Google, the attackers obtained contact information and notes about small and medium sized business clients before the intrusion was detected and terminated.
Google security officials traced the incident to a method known as vishing (voice phishing). Attackers impersonated IT support staff during phone calls, convincing a Google employee to authorize a connected app installation, which is a modified version of Salesforce’s Data Loader. Once granted access, the fraudulent tool enabled the theft of CRM data and lateral movement into other cloud systems. Google labeled the threat actor behind the campaign UNC6040, though the group often presents itself as ShinyHunters when extorting victims.
Google Threat Intelligence Group (GTIG) investigators also uncovered the use of custom Python scripts in some UNC6040 operations. These bespoke tools were used in lieu of the Salesforce Data Loader in cases where tighter security controls existed. The attackers frequently relied on anonymized VPN services such as Mullvad and Tor, complicating attribution and mitigation. The shift in cyberattack tactics is evident – instead of exploiting software vulnerabilities, threat actors now weaponize trusted workflows like OAuth app approval. And considering emerging trends — such as AI-generated voice phishing and deepfake impersonations — it is likely that it will only increase these social engineering risks in enterprise environments.
Google said the compromised data in its case consisted mostly of business names, email addresses, and publicly available contact notes. Beyond the tech titan, confirmed victims include Adidas, Qantas, Chanel, Allianz Life, and LVMH subsidiaries such as Louis Vuitton and Dior. These attacks are part of a coordinated campaign exploiting CRM access to harvest customer data at scale. In at least one case, victims reportedly paid nearly $400,000 in ransom via Bitcoin to prevent data from being leaked on hacking forums.
“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off. The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,” the tech titan wrote in an update.
It is evident that the attackers exploited trust, not technical vulnerabilities. Salesforce and Google emphasized that no platform bugs were exploited. Instead, the attacks highlight a pressing weakness in enterprise security: human susceptibility to manipulation. This bypasses traditional email-based phishing filters and calls for revised internal training and stricter application access policies. Google’s response team acted swiftly to terminate unauthorized access, revoke credentials, and notify affected clients. The company has also updated its policies around connected app authorizations and is working closely with law enforcement.
