Google has disclosed a data breach involving a Salesforce database, becoming the latest high-profile victim in a widespread campaign targeting cloud-based customer relationship management (CRM) platforms. The attack, attributed to the notorious cybercriminal group ShinyHunters—also tracked as UNC6040—underscores the growing sophistication and scale of cyber threats facing major corporations through social engineering and targeted phishing schemes.
Details of the Breach
In June 2025, ShinyHunters reportedly infiltrated a Google-operated Salesforce CRM system designed to store contact details and business notes for small and medium-sized clients. According to Google’s statement, the attackers exploited voice phishing (“vishing”) techniques. By impersonating IT support personnel, they successfully convinced targeted employees to grant access to Salesforce environments.
Once inside, the hackers leveraged Salesforce’s Connected App setup—often presenting malicious OAuth applications as legitimate Salesforce tools—to maintain persistence and exfiltrate CRM data. Google clarified that the compromised information was limited to basic, publicly available business details, such as company names and contact information. There is no indication at present that sensitive personal data or highly confidential business records were exposed. The company has also not disclosed the exact scope of the breach or whether ransom demands were made.
Wider Campaign Targeting Salesforce Customers
This incident is part of a broader, ongoing campaign by ShinyHunters and related cybercriminal groups, who have recently targeted other prominent organizations, including Cisco, Qantas, Adidas, LVMH, and Chanel. Security analysts note strong overlaps in techniques between ShinyHunters and other collectives like “The Com” and “Scattered Spider,” though each is tracked as distinct entities.
Misconceptions and Defensive Measures
Despite concerns, investigations confirm there is no evidence of a technical vulnerability within the Salesforce platform itself. Instead, threat actors rely on social engineering—most notably, tricking employees into granting access and installing malicious third-party apps.
