Key Takeaways:
- Google confirmed a Salesforce database breach affecting small business contact records, carried out through a social engineering scheme.
- Hackers used voice phishing to impersonate IT staff and trick an employee into installing a malicious data loader tool.
- The stolen data consisted of publicly available contact details, not sensitive personal or financial information.
- The breach was attributed to the ShinyHunters group, which has targeted multiple global firms with similar tactics in 2025.
- Google warned the attackers may attempt extortion or leak the data publicly to apply pressure.
Google has disclosed that it was the victim of a targeted cyberattack involving the theft of data from a Salesforce system used to manage contact information for small and medium-sized businesses. The breach, which occurred in June, was executed using a voice phishing attack—also known as vishing—by a threat group linked to ShinyHunters.
In a statement from Google’s Threat Intelligence team, the company revealed that the attackers impersonated internal IT staff and convinced an employee to install what appeared to be a legitimate Salesforce Data Loader. Once installed, this tool enabled unauthorized access to a Salesforce database that contained business contact records and related notes. As reported by TechCrunch, the breach was swiftly contained and no highly sensitive personal or financial data was exposed.
The cybercriminal group responsible, ShinyHunters—also tracked as UNC6040—has been active throughout 2025 in targeting major global companies. The same group is believed to be behind recent attacks on firms including Qantas, Allianz Life, Adidas, Louis Vuitton, Pandora, and Cisco. These attacks typically follow a similar pattern: gaining access to cloud-based customer systems through a combination of social engineering and credential misuse. In Google’s case, the attackers gained access through real-time deception, rather than exploiting a software vulnerability.
According to Axios, the breach involved only “basic contact information” such as company names, phone numbers, emails, and general notes collected through outreach. Google emphasized that while the breach did not include passwords or financial data, it was taken seriously due to the method of access and the potential for escalation.
The attackers reportedly acted under the guise of internal support personnel and persuaded a staff member to download a tool that mimicked Salesforce’s Data Loader software. This phony tool served as the entry point into the CRM system. From there, the hackers accessed a dataset that, while not confidential in the traditional sense, could still be used for further targeting or reputational damage.
Google also warned that it believes the group may attempt to extort the company or its customers by threatening to release the data. The attackers are suspected of developing or preparing to launch a public-facing data leak site, where stolen data could be published unless ransom demands are met. Similar tactics have been observed in prior ShinyHunters operations, according to SecurityWeek, where stolen data is posted to darknet forums or used to pressure organizations into payments.
While the scale of this breach may be modest compared to attacks involving credential theft or payment systems, the incident highlights a recurring weakness across even the most security-conscious enterprises: human vulnerability. Social engineering attacks, especially vishing, bypass technical defenses by relying on real-time deception and trust exploitation. An employee believing they are cooperating with internal security teams can unintentionally provide attackers with everything they need to access high-value systems.
LiveMint reported that Google has since taken several steps to prevent similar attacks in the future. These include additional employee training around phishing and vishing techniques, updated access controls on cloud-based tools like Salesforce, and ongoing collaboration with external partners to detect follow-up threats or attempted extortion efforts.
Cybersecurity researchers suggest that this event signals a broader trend: as technical defenses improve, attackers are shifting focus to manipulation of people rather than systems. Groups like ShinyHunters have built reputations not only for data theft but for their ability to coordinate high-pressure campaigns involving fraud, ransomware, and public leaks.
The incident also renews attention on how third-party services such as Salesforce are used across large organizations. With customer and partner data often stored in platforms that extend beyond a company’s primary security perimeter, any misstep—whether in authentication, access policy, or employee behavior—can result in a breach. While Salesforce itself was not compromised in this case, its ecosystem was the delivery vector, and the reliance on a third-party platform introduces additional complexity for IT teams.
Other companies that have experienced similar incidents this year include Cisco, which also reported a vishing-based intrusion tied to the same threat group. The growing number of these incidents has led to calls for deeper investment in identity validation tools and a cultural shift in how employees verify unexpected IT or security requests.
Google concluded its statement by reaffirming its commitment to protecting user data and indicated that it will continue to support law enforcement and industry peers in identifying and mitigating the threat actors behind the attack. The company has also pledged to contribute additional findings from this incident to public threat intelligence repositories to assist in wider detection efforts.
Consider a top MSP/IT service provider or even an MSSP to help you stay secure – it is a very dangerous world and the specialization these organizations can provide means they are often up to date on the latest attack vectors. Increasingly, companies are one cyberattack away from shutting down – make sure you work with qualified people before an attack happens to your organization.
Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.
The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.
The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.
Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing





