ShinyHunters Hackers Breach Google’s Salesforce Database

In June 2025, the threat actor group ShinyHunters carried out a vishing (voice-phishing) campaign that compromised Google’s Salesforce database. The incident is believed to have primarily affected small and medium-sized enterprises, exposing corporate contact details such as company names, email addresses, and phone numbers.

In August, Google issued a public statement confirming the breach and reassuring users that no sensitive information—such as passwords or financial records—had been compromised. The company emphasized that the incident did not stem from a technical vulnerability within Google or Salesforce, but rather from targeted social engineering tactics directed at employees.

This case underscores that cybersecurity threats are not limited to technical flaws alone. According to Google’s Threat Intelligence Group (GTIG), ShinyHunters (also identified as UNC6040) used phishing techniques, making phone calls to IT staff and other employees, allegedly posing as trusted colleagues. Through sophisticated social engineering, the attackers convinced victims to reset credentials and install malicious applications on corporate devices, thereby creating a temporary access point to sensitive systems.

Google acted swiftly, detecting and neutralizing the intrusion within hours, and promptly notifying all impacted organizations. Company leadership clarified that the data exposure was limited to publicly available corporate contact details and that Google’s incident response procedures effectively contained any potential impact. Salesforce, Google’s cloud services partner, also reaffirmed that the breach was attributable to human error, not a failure in its platform or technology.

Reports indicate that ShinyHunters may be attempting to leverage the exfiltrated data for extortion purposes, demanding cryptocurrency payments from affected organizations. The group has further signaled that, following private extortion attempts, it may seek to sell or release the data through underground forums.

At this stage, Google has not received any ransom demands or direct extortion attempts. However, the company continues to monitor the situation closely and remains vigilant against any future misuse of the compromised information.