Google’s Salesforce Breach Exposes SMB Data via Voice Phishing

Voice phishing attacks on Google’s Salesforce database expose contact details of small businesses worldwide, highlighting cloud security risks

Key Takeaways

• Google confirms data breach affecting Salesforce database containing contact information for small and medium businesses, executed by ShinyHunters ransomware group through voice phishing attacks in June
• $400,000 ransom payment confirmed as one company already paid 4 Bitcoins to prevent data leak, while ShinyHunters threatens a trillion-dollar company with potential data release
• Data breach costs surge to $4.88 million average representing a 10% increase from previous year, as Business Email Compromise attacks account for $6.3 billion in global losses

Introduction

Google’s Threat Intelligence Group confirms a successful cyberattack on its Salesforce database, marking another high-profile victim in an escalating wave of cloud-based data theft. The ShinyHunters ransomware group, designated as UNC6040 or UNC6240, successfully breached Google’s customer contact database through sophisticated voice phishing attacks targeting employees.

The attack affects small and medium business data stored within Google’s Salesforce instance. Google describes the stolen information as largely public data, including business names and contact details, though the company remains vague about the total number of affected customers.

Key Developments

The breach occurred in June when threat actors executed voice phishing campaigns against Google employees to gain unauthorized access to Salesforce systems. Google’s security team detected the intrusion during what the company describes as a “limited window” before cutting off access and initiating impact analysis procedures.

ShinyHunters operates by downloading customer data from breached Salesforce instances, then extorting companies with threats to leak sensitive information unless ransom demands are met. The group typically communicates threats via email or phone, demanding payment in Bitcoin to prevent data publication.

Google spokesperson Mark Karayan declined to provide specific details about customer impact numbers or confirm whether the company received direct ransom demands. The company has not disclosed its response to any potential extortion attempts.

Market Impact

The breach represents part of a broader attack campaign targeting major corporations’ Salesforce implementations. Recent victims include Cisco, Qantas, Adidas, Allianz Life, and LVMH subsidiaries, demonstrating the widespread vulnerability of cloud-based customer relationship management systems.

One affected company has already paid approximately $400,000 in Bitcoin to prevent data exposure, according to Forbes reporting. This payment signals the immediate financial impact organizations face when targeted by these sophisticated extortion schemes.

ShinyHunters claims to have breached a trillion-dollar company and is considering releasing the data rather than pursuing extortion, though the identity of this potential victim remains unclear.

Strategic Insights

The attack exposes critical vulnerabilities in enterprise cloud security strategies, particularly around third-party platform integrations like Salesforce. Organizations increasingly rely on cloud-based CRM systems, creating concentrated targets for cybercriminals seeking valuable customer data.

Voice phishing represents an evolution in social engineering tactics, bypassing traditional email security measures by directly targeting employees through phone calls. This approach exploits human psychology rather than technical vulnerabilities, making it particularly difficult to prevent through conventional cybersecurity tools.

The breach highlights the growing commoditization of stolen data, with cybercriminal groups operating sophisticated business models around data theft and extortion. ShinyHunters’ extensive track record includes successful attacks on PowerSchool, Oracle Cloud, AT&T, and Wattpad, indicating persistent and organized criminal operations.

Expert Opinions and Data

William Wright, CEO of Closed Door Security, emphasizes that this breach “underscores cybercrime vulnerability across industries” and highlights “the escalating impact of cyberattacks on financial and reputational risks.” Wright urges firms to adopt evolving strategies to protect user data against increasingly sophisticated threats.

Industry data reveals the mounting financial consequences of data breaches, with global costs reaching $4.88 million on average in 2024, representing a 10% increase from the previous year. Business Email Compromise attacks alone accounted for $6.3 billion in global losses, demonstrating the costly impact of social engineering tactics.

Security experts note that human error causes approximately 60% of successful data breaches, reinforcing the critical importance of employee training programs alongside technical security measures. Recent analysis shows 184 million unique usernames and passwords have been exposed across various breaches involving major technology companies.

Conclusion

Google’s confirmation of the Salesforce database breach demonstrates the persistent threat posed by organized cybercriminal groups targeting cloud-based business systems. The attack’s success through voice phishing tactics signals a concerning evolution in social engineering approaches that bypass traditional security measures.

The incident reinforces the urgent need for comprehensive security strategies addressing both technical vulnerabilities and human factors in enterprise environments. As ShinyHunters continues threatening additional data releases, organizations face mounting pressure to strengthen their defenses against sophisticated extortion schemes targeting cloud infrastructure and customer data.