Google confirms Salesforce data breach targeting prospective ads customers

Google has confirmed that a data breach affecting one of its Salesforce CRM instances exposed information belonging to potential Google Ads customers, with the incident linked to an ongoing wave of attacks targeting Salesforce users.

In breach notifications shared with BleepingComputer, Google said the compromised data included basic business contact information such as company names, phone numbers, and internal sales notes used by Google representatives to follow up with prospective advertisers. The company stressed that no payment information was exposed and that existing customer data in Google Ads, Merchant Center, Google Analytics, and other advertising products remains unaffected.

The breach was carried out by the hacking group ShinyHunters, which claimed responsibility for stealing roughly 2.55 million records. It remains unclear how many of those are unique entries. The group says it partnered with members of Scattered Spider to gain initial access, later exfiltrating entire Salesforce databases from targeted organizations. The attackers, who now refer to themselves as “Sp1d3rHunters,” have used social engineering to obtain employee credentials or trick victims into authorizing a malicious version of Salesforce’s Data Loader application.

Once inside, the group allegedly downloads full CRM datasets and threatens to release them unless ransom demands are met. In Google’s case, ShinyHunters claimed they sent a demand for 20 Bitcoins, worth about $2.3 million, though later dismissed it as a prank.

Google’s Threat Intelligence Group first warned about this Salesforce exploitation campaign in June before falling victim a month later. The company says recent attacks have shifted from using Salesforce’s official Data Loader to custom Python scripts, allowing faster and more automated data theft.

The FBI and cybersecurity experts have urged companies using Salesforce to review security protocols, enable multi-factor authentication, and closely monitor for suspicious app integrations to mitigate similar threats.