https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Google has officially confirmed a data breach affecting one of its Salesforce CRM instances that exposed information belonging to potential Google Ads customers, with threat actors claiming to have stolen approximately 2.55 million data records containing business contact information. The breach, conducted by the notorious ShinyHunters group, compromised basic business contact details including company names, phone numbers, and related sales notes, though Google emphasised that payment information and actual Google Ads account data remained unaffected by the incident.
The attack represents part of an ongoing wave of sophisticated data theft campaigns targeting Salesforce customers, with ShinyHunters working in collaboration with threat actors associated with Scattered Spider to gain initial system access. The combined group, now calling themselves “Sp1d3rHunters,” employs social engineering tactics against employees to obtain credentials or trick them into linking malicious versions of Salesforce’s Data Loader OAuth app to targeted environments. Once access is established, the attackers download entire Salesforce databases and proceed to extort companies via email, threatening to release stolen data unless ransom demands are met.
The Google breach follows a pattern of similar attacks first reported by the Google Threat Intelligence Group in June 2025, ironically affecting the same company that had warned others about these campaigns just one month earlier. According to reports, ShinyHunters has already sent an extortion demand to Google and has since upgraded their attack methodology, switching from Salesforce Data Loader to custom Python scripts that enable faster and more efficient data extraction from compromised instances. While Google has not disclosed the exact number of individuals affected, the incident highlights the growing threat posed by coordinated cybercriminal groups that combine social engineering expertise with advanced technical capabilities to target cloud-based business systems containing sensitive customer information.