Google’s Salesforce CRM Breach by ShinyHunters

Google disclosed that its Salesforce CRM environment had been compromised by the cybercriminal group ShinyHunters, exposing customer contact data from its small- and medium-sized business clients. The breach, which occurred in June 2025 but was revealed publicly in August, was executed through social engineering tactics, particularly voice phishing (vishing). Attackers impersonated trusted personnel to trick an employee into granting access, enabling unauthorized entry into Google’s Salesforce system.
The exposed data primarily consisted of basic contact details and related notes. Google confirmed that no passwords, financial information, or sensitive account credentials were accessed. While the compromised information was limited, the incident illustrated a critical weakness: attackers did not exploit a technical flaw but rather human trust, bypassing technical defenses with relatively low-tech deception.
Security analysts stressed that the breach underscores the growing risks in securing SaaS platforms and CRM integrations, where third-party connectors, data-loading tools, and administrative authorizations can all serve as exploitation paths if employees are manipulated. Despite Google’s assurance that the affected information posed minimal risk, the attack revealed how even leading global technology companies remain vulnerable to well-orchestrated social engineering.
In response, Google initiated a review of its Salesforce configurations, strengthened least-privilege access controls, increased monitoring of third-party integrations, and reinforced employee awareness programs to counter phishing and impersonation attempts. The case serves as a clear reminder that organizational resilience must extend beyond technology to include vigilant human defenses.