Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group. The attack targeted Google’s customer relationship management system, stealing business contact information from small and medium-sized customers.
This wasn’t a high-tech hack. Instead, the cybercriminals used something much simpler and more dangerous: fake phone calls.
How the Attack Worked
ShinyHunters is a cybercriminal group known for breaking into organizations via social engineering. In most schemes, they’ll impersonate a company’s IT support desk using voice phishing techniques and trick an employee into resetting their password.
The process is surprisingly simple but effective:
- The Call: Hackers call employees pretending to be IT support
- The Trick: They create a fake emergency requiring password reset
- The Access: Once they get login details, they steal customer data
- The Demand: They threaten to release the data unless paid
The breach, affecting mainly small and medium-sized business clients, allowed attackers to access business contact details, such as company names, emails, and phone numbers. Google quickly acted to stop further access and informed customers about the incident.
Shocking Numbers Behind the Campaign
The scale of this attack campaign is staggering. In one high-profile ransom message, the threat actors claimed the campaign had compromised data from 91 organizations worldwide. Victims included Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas Airways, Air France–KLM, Allianz Life, Cisco, Pandora, and others.
Some eye-opening facts about the ShinyHunters group:
- successful attacks against around 165 organizations, including household brands like AT&T, Santander Bank, Neiman Marcus, and Ticketmaster
- Massive Allianz Life data breach impacts 1.1 million people
- The group has been active since 2020, making millions from data theft
Why This Attack Method Works So Well
Voice phishing (or “vishing”) is becoming the weapon of choice for cybercriminals because it exploits human trust rather than computer weaknesses. Salesforce confirmed to BleepingComputer that accounts are not breached through a vulnerability attack but rather via social engineering attacks.
The attackers don’t need to find security holes in software. Instead, they target the weakest link in any security system: people.
What Makes These Calls So Convincing?
- Pressure tactics: Creating fake emergencies that demand quick action
- Personal information: Using publicly available details to sound legitimate
- Professional tone: Sounding like real IT support staff
- Technical language: Using terms that make them seem knowledgeable
Growing Threat to American Businesses
In June 2025, French authorities arrested a BreachForums administrator linked to ShinyHunters, coinciding with the forum’s shutdown. Many expected this to disrupt the group, but the Salesforce campaign continued. This shows how persistent and organized these criminal groups have become.
For US businesses, this trend is particularly worrying because:
- Salesforce is used by millions of American companies
- Small and medium businesses often have fewer security resources
- The attacks are becoming more sophisticated and harder to detect
How to Protect Your Business
Employee Training is Critical
The best defense against vishing attacks is educating your team:
- Never give passwords or login details over the phone
- Always verify caller identity through official channels
- Be suspicious of urgent requests for access or information
- Report suspicious calls to your IT department immediately
Technical Safeguards
- Use multi-factor authentication on all business accounts
- Implement strict password policies
- Regularly review and update access permissions
- Monitor unusual account activity
The Bigger Picture
Experts say the attack mirrors recent breaches at Google, Pandora, and Cisco, revealing a coordinated campaign exploiting CRM platforms and employee trust across industries. This isn’t just about one company or one attack – it’s part of a larger trend that threatens businesses across all industries.
The Google incident serves as a wake-up call for companies everywhere. In an age where we focus so much on technical security, sometimes the simplest attacks – a convincing phone call – can cause the most damage.
As cybercriminals continue to evolve their tactics, businesses must stay one step ahead by combining strong technical defenses with comprehensive employee education. Because when it comes to cybersecurity, your people are both your greatest asset and your biggest vulnerability.
