Google Confirms Data Breach Linked to ShinyHunters Group: Customer Information Compromised

In a blog post this week, Google confirmed late Tuesday that customer information had been stolen in a breach involving one of its Salesforce database systems, attributed to the hacking group ShinyHunters, formally identified as UNC6040. The breach affected a system used to store contact information and related notes for small and medium-sized businesses, raising concerns about the vulnerability of cloud-based platforms to voice phishing and other social engineering tactics.

According to Google's Threat Intelligence Group, the compromised data mainly consisted of "basic and largely publicly available business information," including business names and contact details. However, Google did not disclose the number of affected customers or provide further details. The company also refrained from confirming whether it had received ransom demands from the attackers.

ShinyHunters, a group known for targeting large corporations' cloud systems, previously infiltrated Salesforce platforms in attacks on companies like Cisco, Qantas, and Pandora. These incidents have prompted a broader conversation about the security of cloud environments and the increasing reliance on social engineering techniques to bypass traditional defenses.

Lidia Lopez, Strategic Research Team Lead at Outpost24, noted, "The news is that Google has also been affected. We’ll likely see more names in the coming days if the threat actor continues with the extortion stage." Lopez explained that the Salesforce-related attacks began in March 2025, with Salesforce warning customers about an uptick in voice phishing tactics targeting its platform. The attacks gained momentum in June 2025, with Google’s Threat Intelligence Group confirming that approximately 20 US-based and European companies were targeted.

Lopez continued, "The attacks employed sophisticated voice phishing (vishing) social engineering techniques, in which the threat actor called English-speaking employees, pretended to be IT support, and tricked them into revealing login credentials or installing malicious versions of Salesforce tools." Weeks or even months later, victims received extortion phone calls and emails demanding Bitcoin payments to a specific wallet address, with the threat of data being leaked on underground forums or a Data Leak Site (DLS).

Ensar Seker, CISO at SOCRadar, emphasized that this breach serves as a stark reminder of how even the most robust enterprises are not immune to social engineering exploits. "Google’s confirmation that UNC6040 breached a corporate Salesforce instance via vishing, without exploiting any technical flaw, underscores how even elite organizations can be deceived when human trust is weaponized."

Seker further highlighted the importance of tightening security measures, saying, "Though the data was described as largely publicly available, the breach still carries significant risk. Even minimal information like public contact details provides a foundation for highly targeted phishing, impersonation, or extortion attempts. This case reinforces the urgent need for organizations to treat user confirmation flows, like app approvals, as potential attack vectors."

David Stuart, Cybersecurity Evangelist at Sentra, pointed to the broader trend of attacks targeting Salesforce environments, noting, "This breach is the latest in a string of attacks targeting Salesforce environments, from Qantas to Pandora and now Google. It’s a clear signal that attackers are focusing on where data is most concentrated, and often least visible — within cloud SaaS applications."

Stuart emphasized the need for a shift in how organizations approach security: "Voice phishing tactics and other forms of social engineering are proving effective because the security model for SaaS platforms like Salesforce typically relies too heavily on perimeter controls and user authentication. Organizations need to shift their mindset: it’s not just about securing systems, but understanding where sensitive data originates and lives, how it moves, and who touches it, and being proactive about ensuring its security posture."

Ben McCarthy, Lead Cyber Security Engineer at Immersive, echoed this sentiment, stressing how social engineering remains a highly effective tactic for attackers. "Recent cyberattacks against major retail and consumer brands like Qantas, Chanel and most recently, Pandora, have highlighted how attackers exploit trusted technologies like Salesforce. In fact, any software that collects and stores customer data is a prime target."

McCarthy further explained, "The barrier to entry for these types of attacks is surprisingly low. Many groups, including ShinyHunters, are successfully using these techniques, demonstrating that threat actors don't need a complex technology stack; they mainly rely on human error."

The breach has highlighted a key issue: the personal information accessed, such as names, dates of birth, and email addresses, is difficult to change once compromised. "This information is weaponized by cybercriminals for phishing attacks," McCarthy added. "Customers trust companies to secure their data, and even the smallest of breaches means that trust is broken."

As the fallout from these attacks continues, it underscores the urgent need for enhanced vigilance and proactive security measures, especially for organizations handling sensitive data. The breach not only exposes vulnerabilities in cloud systems but also serves as a warning to businesses about the critical importance of safeguarding against social engineering and reinforcing user security practices.