What Google confirmed and which data were exposed
Google acknowledged a data breach that affected a corporate Salesforce CRM instance used to communicate with prospective Ads customers.
In a notification, the company said:
“We’re writing to let you know about an event that affected a limited set of data in one of Google’s corporate Salesforce instances used to communicate with prospective Ads customers.”
Google said the exposed information consisted of basic business contact details and related notes used by sales teams. The company added that payment information was not exposed and that Ads product data — including Google Ads accounts, Merchant Center, and Google Analytics — were not affected.
Key categories reported as exposed:
- Business names
- Phone numbers
- Sales-related notes and contact context
Google did not disclose how many individuals or records were affected.
Threat actors’ claims and the reported scale of the leak
The breach was claimed by the group ShinyHunters, which has been tied to a wider campaign targeting Salesforce customers. ShinyHunters told reporters the stolen dataset contains roughly 2.55 million records, though it is unclear whether that total includes duplicates.
ShinyHunters also said they collaborated with actors associated with Scattered Spider for initial access. In a message to reporters, ShinyHunters said:
“Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same. They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake.”
The actors now sometimes refer to themselves as “Sp1d3rHunters” to reflect overlapping teams involved in these attacks.
How the attackers reportedly gained access
According to disclosures tied to this wave of incidents, attackers used social engineering and credential abuse to infiltrate Salesforce environments. Methods reported include:
- Social engineering against employees to obtain credentials.
- Trickery to have staff link a malicious version of Salesforce’s Data Loader OAuth app to their Salesforce tenant.
Once the malicious OAuth application gains the necessary permissions, attackers can extract CRM data and perform large-scale exports.
What Google says is unaffected
Google emphasized that payment details were not exposed and that core Ads product data remains secure. The company framed the incident as limited to a corporate Salesforce instance used for sales outreach, not the platforms that host advertisers’ accounts or Merchant Center inventories.
