Google representatives have confirmed that a recent data breach linked to the Salesforce hack affected Google Ads customer data.
As a reminder, last week Google reported that it had suffered a data breach. This incident was another attack by the ShinyHunters hacking group, which in recent months has been targeting Salesforce CRM.
Back in June 2025, Google’s own specialists warned that the groups they track under the codenames UNC6040 and UNC6240 (aka ShinyHunters) were attacking companies using social engineering and vishing (voice phishing). The hackers’ goal is to compromise Salesforce and gain access to customer data. It was reported that after stealing the data, the attackers extort money from the affected companies, threatening to publish the stolen information if they refuse.
As it emerged last week, back in June of this year Google itself fell victim to a similar attack: hackers managed to compromise one of the Salesforce CRM instances and stole customer data.
“In June, one of Google’s corporate Salesforce instances was affected by similar UNC6040 activity. Google responded to the incident, conducted an impact assessment, and took remedial actions,” the company said in a statement. “This instance was used to store contact information and related notes about small and medium-sized businesses. The analysis showed that the data was exfiltrated by the attackers in a short timeframe before access was cut off. The information obtained by the attackers was largely limited to basic and publicly available data, such as company names and contact details.”
As reported by Bleeping Computer, the data leak affected Google Ads customers.
Google’s investigation found that the compromised data included company names, phone numbers, and “related notes” used by account managers to follow up with customers. It emphasized that the leak did not affect payment information or data from Google Ads, Merchant Center, Google Analytics accounts, or other company advertising products.
“We are reporting an incident that affected a limited set of data in one of the corporate Salesforce instances used by Google to communicate with prospective Ads customers,” the breach notice says. “Our records show that as a result, basic contact details and related notes were compromised.”
According to journalists, the long-standing hacker group ShinyHunters is behind the attack. In the past, this group was known for attacks on Oracle Cloud, Snowflake, AT&T, NitroPDF, Wattpad, MathWay, and so on.
In recent months, near-identical Salesforce-related data breaches have already affected: Adidas, the airline Qantas, the insurer Allianz Life, a number of LVMH brands (Louis Vuitton, Dior and Tiffany & Co), the Cisco.com website, as well as the fashion house Chanel and the Danish jewelry company Pandora.
Although Google has not disclosed the number of affected users, the hackers told reporters they stole about 2.55 million records from the company and then demanded a ransom of 20 bitcoins from Google (around US$2.3 million at the current exchange rate).
“I couldn’t care less about getting a ransom from Google. I just sent them a fake email for the lulz,” said a representative of the attackers.
ShinyHunters also told the publication that they are working with the Scattered Spider group, which is responsible for obtaining initial access to the target systems.
“As we’ve said repeatedly: ShinyHunters and Scattered Spider are one and the same,” the hackers said. “They give us initial access, and we make dumps and exfiltrate data from Salesforce. Just like with Snowflake.”
As journalists note, the attackers now call themselves Sp1d3rHunters, combining the names of both groups.
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →