Google has been hacked, now it’s official.
The tech giant has confirmed the breach in a public statement, revealing that one of its internal Salesforce instances was compromised in a targeted social engineering attack. The breach, attributed to the infamous hacking group ShinyHunters, once again highlights a fundamental truth: the most dangerous vulnerability isn’t in code, it’s in people.
This breach wasn’t the result of a zero-day exploit or a brute-force attack. It was pure social engineering, executed with precision.
The attackers used a vishing (voice phishing) technique, posing as internal IT staff and calling Google employees directly. Over the phone, they convinced some of them to install a malicious version of the Salesforce Data Loader, a legitimate tool used to manage and sync data with Salesforce CRM systems.
Once installed, the compromised Data Loader gave the attackers access to internal Salesforce data, specifically contact records and notes related to Google Ads customers and leads, primarily targeting small and medium-sized businesses.
The Google incident is part of a much broader, months-long campaign targeting Salesforce customers. Victims include Qantas, Allianz Life, Adidas, and luxury brands under LVMH. The common denominator? High-value customer data stored in CRM systems and a phone call that bypassed technical defenses.
In some parallel cases, attackers also launched phishing campaigns mimicking Okta login portals to harvest credentials and MFA tokens, further expanding their access.
Interestingly, in none of the confirmed cases has the stolen data been publicly leaked, yet. Instead, ShinyHunters has been using direct email extortion, threatening to release the data if ransom demands are not met. But if negotiations fail, history suggests massive public leaks could follow, much like the group’s previous breaches involving Snowflake.
Who Are ShinyHunters?
ShinyHunters is a black-hat hacker collective believed to have formed around 2020. They’ve been linked to major breaches at Microsoft’s GitHub, Tokopedia, Wattpad, and numerous others. Their operations often focus on cloud service exploitation, stealing data from SaaS platforms for extortion or sale on the dark web.
Cyber threat analysts track this specific Salesforce-focused campaign under the identifier UNC6040. Some security researchers believe there is operational overlap between ShinyHunters and Scattered Spider (UNC3944), a group known for full-network compromises and ransomware operations. Both share similar tactics and target industries like aviation, retail, and insurance.
Sources like Recorded Future suggest both groups may even share members or collaborate within organized cybercriminal communities such as The Com, potentially inheriting techniques from the now-defunct LAPSUS$ gang.
Conclusion
This incident is a sobering reminder: attacks don’t always target code, sometimes they just target the person on the other end of the line. Google’s breach underscores a rising trend in cybercrime, social engineering exploits that bypass technical defenses altogether.
