Google representatives have confirmed that a recent data breach linked to the Salesforce hack affected Google Ads customer data.
As a reminder, last week Google reported that it had suffered a data breach. This incident was another attack by the ShinyHunters hacking group, which in recent months has been targeting Salesforce CRM.
Back in June 2025, Google’s own specialists warned that the groups they track under the codenames UNC6040 and UNC6240 (aka ShinyHunters) were attacking companies using social engineering and vishing (voice phishing). The hackers’ goal is to compromise Salesforce and gain access to customer data. It was reported that after stealing the data, the attackers extort money from the affected companies, threatening to publish the stolen information if they refuse.
As it emerged last week, back in June of this year Google itself fell victim to a similar attack: hackers managed to compromise one of the Salesforce CRM instances and stole customer data.
“In June, one of Google’s corporate Salesforce instances was affected by similar UNC6040 activity. Google responded to the incident, conducted an impact assessment, and took remedial actions,” the company said in a statement. “This instance was used to store contact information and related notes about small and medium-sized businesses. The analysis showed that the data was exfiltrated by the attackers in a short timeframe before access was cut off. The information obtained by the attackers was largely limited to basic and publicly available data, such as company names and contact details.”
As reported by Bleeping Computer, the data leak affected Google Ads customers.
Google’s investigation found that the compromised data included company names, phone numbers, and “related notes” used by account managers to follow up with customers. It emphasized that the leak did not affect payment information or data from Google Ads, Merchant Center, Google Analytics accounts, or other company advertising products.
“We are reporting an incident that affected a limited set of data in one of the corporate Salesforce instances used by Google to communicate with prospective Ads customers,” the breach notice says. “Our records show that as a result, basic contact details and related notes were compromised.”
According to journalists, the long-standing hacker group ShinyHunters is behind the attack. In the past, this group was known for attacks on Oracle Cloud, Snowflake, AT&T, NitroPDF, Wattpad, MathWay, and so on.
In recent months, near-identical Salesforce-related data breaches have already affected: Adidas, the airline Qantas, the insurer Allianz Life, a number of LVMH brands (Louis Vuitton, Dior and Tiffany & Co), the Cisco.com website, as well as the fashion house Chanel and the Danish jewelry company Pandora.
Although Google has not disclosed the number of affected users, the hackers told reporters they stole about 2.55 million records from the company and then demanded a ransom of 20 bitcoins from Google (around US$2.3 million at the current exchange rate).
“I couldn’t care less about getting a ransom from Google. I just sent them a fake email for the lulz,” said a representative of the attackers.
ShinyHunters also told the publication that they are working with the Scattered Spider group, which is responsible for obtaining initial access to the target systems.
“As we’ve said repeatedly: ShinyHunters and Scattered Spider are one and the same,” the hackers said. “They give us initial access, and we make dumps and exfiltrate data from Salesforce. Just like with Snowflake.”
As journalists note, the attackers now call themselves Sp1d3rHunters, combining the names of both groups.