Google has confirmed it was one of the latest targets in a wide-ranging cyberattack campaign focused on exploiting Salesforce CRM systems. The breach is part of a series of attacks attributed to the ShinyHunters extortion group, who have been actively targeting large enterprises by stealing customer relationship data and using it for ransom demands.
Google admits breach through compromised Salesforce instance
In a recent update, Google acknowledged that in June 2025, one of its internal Salesforce CRM instances was accessed by threat actors. The attackers gained entry through a voice phishing technique aimed at Google employees, a method Google had previously warned about when identifying the group responsible as ‘UNC6040.’
“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post,” the company said.
“Google responded to the activity, performed an impact analysis and began mitigations.”
The compromised system contained contact details and notes related to small and medium-sized business clients. The company confirmed that the attacker was able to retrieve some data during a brief window of unauthorized access.
“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,” the company added.
ShinyHunters behind broader campaign targeting enterprise CRM systems
While Google refers to the attackers as UNC6040 or UNC6240, cybersecurity sources have confirmed that the group behind the breaches is the well-known threat actor ShinyHunters. This group has a long track record and is linked to high-profile data breaches involving PowerSchool, Snowflake, Oracle Cloud, and AT&T, among others.
According to a statement given to BleepingComputer, ShinyHunters claimed responsibility for breaching numerous Salesforce environments and said the campaign is still active. In some cases, the attackers are threatening public data leaks unless companies pay a ransom via email.
The group reportedly told BleepingComputer that they recently breached a “trillion-dollar company” and were considering leaking the data rather than pursuing a ransom. It is unclear whether they were referring to Google.
Ransom demands and paid extortion emerging across victim companies
BleepingComputer has learned that some of the targeted companies have already paid ransoms. One confirmed victim paid approximately 4 Bitcoins (~$400,000) to prevent their data from being leaked online.
After concluding private extortion efforts, the attackers reportedly plan to leak or sell the stolen data on public hacking forums.
List of major companies impacted
Alongside Google, several other global brands have been impacted in this CRM-focused breach campaign. These include:
- Adidas
- Qantas
- Allianz Life
- Cisco
- Louis Vuitton, Dior, and Tiffany & Co. (all LVMH subsidiaries)
