Google's Salesforce breach exposed customer contact data

Google has confirmed that hackers stole customer information by breaching one of its corporate Salesforce databases. The company said the incident occurred in June and involved data tied to small and medium business prospects for Google Ads. The stolen records were described as basic business contact details and related sales notes. Google has not disclosed how many organisations were affected, and it has not provided a country-level breakdown. The disclosure lands amid a wider wave of attacks on companies’ Salesforce environments, underscoring how quickly trust in household names can be tested when attackers mishandle cloud software.

Google attributes the activity to a financially motivated threat cluster it tracks as UNC6040, now known as ShinyHunters. The group has historically relied on voice phishing, also known as vishing. Operators impersonate internal IT on the phone, then walk employees through steps that result in granting access to a connected app inside Salesforce. In several cases across the wider campaign, the scammers persuaded targets to install or authorise a lookalike of Salesforce’s Data Loader tool. Once the malicious app is approved, attackers can export large volumes of CRM records at speed. Salesforce said its core platform was not exploited directly. The technique abuses people and app integrations rather than a platform flaw, which is why the same playbook has worked across multiple victims.

What was taken, and what was not

Google’s description of the stolen data is narrow. It points to business names, phone numbers and notes used by sales teams, and it emphasises that this is a corporate CRM dataset rather than a production system that runs consumer services. Reporting from security outlets and breach notifications seen by journalists align with that framing, and there is no indication that payment information or Google Account credentials were exposed. Even so, CRM data can carry commercial value. Sales notes can reveal intent, budget cycles, internal contacts and partner relationships. Once in criminal hands, this type of data often feeds spear phishing and social engineering, which can be more damaging than the initial theft.

Google’s threat intelligence team first publicised the UNC6040 campaign in early June, warning that vishing and malicious connected apps were being used to raid Salesforce tenants. On 5 August, the company added an update that one of its own Salesforce instances had been hit in June and that attacker access had been cut quickly after detection. Tech media picked up the story on 6 August, and by 8 August, Google had emailed impacted business contacts. The ongoing stream of victim disclosures from other brands during the same week highlights the scale of the campaign rather than a one-off hit.

Who was affected

Google has not said how many records were accessed or which countries were represented. The affected dataset relates to prospective Google Ads customers, which implies a global footprint. That likely includes the UK, given the size of Google’s advertising customer base here, although no public source has confirmed a specific UK count. For now, the only definitive indicator is whether a business received a Google notification message. As with most CRM focused breaches, regulatory reporting requirements will hinge on whether personal data was involved and whether the risk to individuals meets the legal threshold in a given jurisdiction.

This incident did not occur in isolation. Security reporters and vendors have documented a spree of Salesforce-related data thefts in recent weeks, with companies across sectors acknowledging exposure of customer or prospect data. The common thread is social engineering, followed by OAuth abuse through connected apps. Salesforce has urged customers to tighten controls rather than wait for platform patches. That posture reflects a painful reality. Cloud software concentrates value. Misconfigured or over-permissive integrations turn that value into low-friction loot. In this case, the primary risk was not an exotic exploit. It was a convincing voice on a phone and a plausible workflow.

Even basic business contact data can catalyse higher impact crime. UK firms routinely use Salesforce and similar software to centralise go-to-market operations, store partner notes and track renewals. If that intelligence is stolen, the next call into a sales or finance queue may appear more credible. That has practical consequences. Privilege escalation and invoice fraud often begin with a thread pulled from CRM. The Google disclosure also shows that even well-resourced companies can be caught by campaigns that blend psychology, process knowledge and app authorisations.

Evidence-based risk considerations

Several control themes recur across the confirmed cases and official guidance. They are worth noting for any team that depends on Salesforce or similar tools.

1. Treat voice as an untrusted channel—Institute a callback rule for any request that could change access, MFA or app authorisations. Verification should use an internal directory number, not a number provided by the caller.

2. Tightly govern connected apps and data export. Restrict who can create or approve connected apps. Require explicit security review for Data Loader-style tools—Disable or alert on bulk export permissions where they are not essential.

3. Prefer phishing-resistant multi-factor authentication for admin and high-value roles. Device-bound passkeys or security keys reduce the payoff of vishing that aims to harvest codes.

4. Constrain where Salesforce can be accessed from. Use conditional access to limit logins to known networks, managed devices or both. Pair this with strict session controls for high-risk actions, such as authorising new apps.

5. Monitor for anomalous OAuth grants and significant export activity—baseline normal data movement for sales teams. Investigate spikes rather than filtering them as business as usual.

6. Keep your service desk out of the blast radius. Train and script for social engineering, then audit adherence. Do not reprimand users who report near misses. That keeps the signal flowing.

None of these measures is novel. They are effective precisely because the attacks are not exotic. The success of UNC6040 demonstrates that criminals will continue to exploit human vulnerabilities, particularly when a trusted brand or tool can be leveraged to facilitate the con. The lesson is not that large providers are reckless. It is that even with strong engineering, the attack surface sits where people, process and cloud conveniences meet.

Speak to an expert about securing your estate and protecting against Vishing Attacks and Social Engineering.