Google has acknowledged that it was among the companies affected by a broader data theft campaign exploiting Salesforce environments, highlighting growing concerns about the security of widely used CRM platforms.

In an update published on August 5, Google stated that a threat actor successfully accessed data within one of its Salesforce instances. However, the company clarified that the stolen information was mostly publicly accessible, such as business names and contact information related to small and medium-sized enterprises.

The ongoing attack campaign has been attributed to the ShinyHunters group, a financially motivated threat cluster known for voice phishing (vishing) tactics. Google’s Threat Intelligence Group (GTIG) tracks the operation under the names UNC6040 and UNC6240.

Salesforce Vishing Attacks on the Rise

ShinyHunters is infamous for conducting vishing attacks that deceive employees into providing sensitive login credentials and multi-factor authentication (MFA) codes. Once access is gained, attackers exfiltrate large volumes of customer and business data—sometimes leading to extortion attempts.

According to Google, the attackers used its compromised Salesforce instance as a repository for client contacts and internal notes, which the company has since analyzed and taken steps to secure.

Security experts warn that this could just be the beginning.

Potential Escalation: Leak Site Under Development

Google’s threat team has also warned that ShinyHunters may be preparing to launch a public leak site, escalating its extortion tactics. Currently, the group contacts affected companies via calls or emails, demanding Bitcoin payments within 72 hours to avoid exposure.

Should the leak site go live, pressure on victims could increase substantially—especially for organizations affected by recent Salesforce-related breaches.

More Companies May Be Affected

According to William Wright, CEO of Closed Door Security, “ShinyHunters has executed a massive wave of Salesforce-based attacks recently. Organizations need to treat this as a serious and evolving threat.”

He also noted that many attacks may remain undisclosed, hinting that more victim announcements could follow.

Brands like Chanel and Pandora have already confirmed being affected by ShinyHunters’ activities in early August 2025. Other high-profile names suspected to be involved include Allianz Life, Adidas, Qantas, and several brands under LVMH.

Key Takeaway

This incident is a stark reminder of how third-party platforms, like Salesforce, can become attack vectors if not properly secured. Companies must ensure that user access is tightly controlled, that vishing and phishing awareness training is ongoing, and that security monitoring and compliance are maintained across all platforms—especially CRMs containing sensitive client data.

Source: https://www.infosecurity-magazine.com/news/google-salesforce-data-theft