InfoSecBulletin Cybersecurity for mankind
Google confirmed that a recent data breach in one of its Salesforce CRM systems exposed information about potential Google Ads customers.
“We’re writing to let you know about an event that affected a limited set of data in one of Google’s corporate Salesforce instances used to communicate with prospective Ads customers,” reads a data breach notification shared.
SoupDealer Malware Bypasses Every Sandbox, AV’s, XDR/EDR in Real-World Incidents
WinRAR Zero-Day and 7-Zip Vulnerability actively exploited
Biometric Clone: ₹5.58 crore loss, 251 accounts in 17 districts
Google Confirms Data Breach: Notifying Affected Users
28,000+ Microsoft Exchange Servers Exposed Online for CVE-2025-53786
Google alerts of cloud storage bucket hijacking attacks
Multiple 0-days to Bypass BitLocker and Extract Data
Amazon ECS Internal Protocol Exploited to Steal AWS Credentials
7 Tools for Automated Server Patching
Germany’s top court rules police may use spyware solely for serious crimes
“Our records indicate basic business contact information and related notes were impacted by this event.”
Google says the exposed information includes business names, phone numbers, and “related notes” for a Google sales agent to contact them again.
The company stated that payment information wasn’t compromised and there is no effect on Ads data in Google Ads, Merchant Center, Google Analytics, or other Ads products.
The breacShinyHunters, a group of threat actors, has been carrying out data theft attacks against Salesforce customers.
Google hasn’t revealed how many people were affected, but ShinyHunters claims that about 2.55 million data records were stolen. It’s uncertain if these records include duplicates.
ShinyHunters further told BleepingComputer that they are also working with threat actors associated with “Scattered Spider, who are responsible for first gaining initial access to targeted systems.
“Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same,” ShinyHunters told.
“They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake.”
the threat actors now call themselves “Sp1d3rHunters” to show the group of people involved in these attacks.
The threat actors trick employees into giving their login info or connecting a fake Salesforce app to their accounts.
The threat actors then steal the entire Salesforce database and demand a ransom via email, threatening to publish the stolen data if it’s not paid.
These Salesforce attacks were first reported in June, with Google experiencing similar issues a month later.
Databreaches.net reported that the threat actors have already demanded a ransom from Google. After the story was published, ShinyHunters told BleepingComputer that they asked for 20 Bitcoins, or about $2.3 million, from Google to keep the data private.
“I don’t care about ransoming Google anyway, I just sent them a bogus email for the lulz of it,” said the threat actor.
ShinyHunters says they have since switched to a new custom tool that makes it easier and quicker to steal data from compromised Salesforce instances.
In an update, Google recently acknowledged the new tooling, stating that they have seen Python scripts used in the attacks instead of the Salesforce Data Loader.
