Tech giant Google acknowledged that it suffered a significant data breach, which impacted its corporate Salesforce database. The company sent out email notifications last week, announcing that the breach occurred in June 2025 and that it was carried out by the cybercriminal group known as ShinyHunters, and tracked by the Google Threat Intelligence Group as UNC6040.
The black-hat criminal hacker group, which reportedly refers to itself as “Scattered Spider LAPSU$ Sp1d3r Hunters,” is believed to have formed in or around 2020 and has been credited with the 2021 breach of AT&T Wireless customer data and again in 2024. It has also carried out attacks on Ticketmaster, Mathway, Pixir, Microsoft, Mashable, and Pluto TV, among others.
Attack Continues
Google announced that the exposed data had included business names, phone numbers, and “related notes,” but no payment information was exposed. The tech giant further suggested that it would have no impact on Google Ads data in Google Ads Account, Merchant Center, Google Analytics, and other Ads products.
The hacking collective had carried out a voice-phishing campaign against Salesforce in June, using modified versions of Data Loader to export Salesforce data.
Hackers claiming to be affiliated with the group claim that approximately 2.55 million data records were obtained in the breach.
“Though this attack is not entirely surprising, it is still troubling given Google’s scale and security posture,” explained Ensar Seker, CISO at cybersecurity provider SOCRadar. “What this incident illustrates is that even the most defensible organizations can be compromised by targeted social engineering attacks.”
Seker told ClearanceJobs that in this case, the threat actors linked to UNC6040 (ShinyHunters) exploited voice phishing tactics to trick employees into granting access via Salesforce’s connected apps, a human-centered bypass of strong technical controls.
Quick Response, But Issues Will Continue
By all accounts, Google’s response was timely and precise.
“They detected unusual activity, cut off access quickly, conducted an impact assessment, and communicated transparently about what data was potentially exposed,” said Seker. “That said, because the incident involved business contact data, while not highly sensitive, it does underscore that vigilance in human interaction flows is as important as technical security measures.”
Moreover, this shouldn’t cause widespread alarm among consumers.
“Google clarified that product-specific data such as Google Ads account details, payment information, or Merchant Center data was not compromised,” added Seker. “However, affected businesses should remain watchful for sophisticated phishing or impersonation attempts that may leverage the exposed information. In this kind of attack, danger often derives from the downstream misuse of seemingly innocuous data. Ensuring vigilance, especially around inbound calls or emails that reference Google or Salesforce, is the prudent path for organizations managing sensitive customer relationships.”
Targeting the Weakest Link
As with other high-profile breaches, this one also targeted what has been the weakest link in cybersecurity, namely, people.
“It’s not surprising that this attack occurred or how it occurred. Social engineering is involved in 70% – 90% of successful data breaches, and in an even higher percentage of Scattered Spider successes,” warned Roger Grimes, data-driven defense evangelist at KnowBe4.
He told ClearanceJobs that all the defensive technology in the world can only do so much. “Hackers will simply trick their way around it using social engineering,” said Grimes. “It’s why you must conduct great security awareness training. If you aren’t doing aggressive security awareness training and warning about common types of attacks that can be used against your environment – e.g., social engineering against Salesforce instances – it’s almost cybersecurity negligence.”
Grimes added that the general public shouldn’t be concerned about this particular breach. Yet, the world should be concerned that social engineering is involved in the vast majority of data breaches.
“No company in this world, including Google, spends even 5% of its IT/IT security budget to fight that particular type of threat,” Grimes further cautioned. “It is that fundamental misalignment between how attackers attack and how defenders defend that allows hackers and their malware creations to be so long-term successful.”
