Google has confirmed a serious data leak caused by a targeted cyberattack by the hacker group ShinyHunters (UNC6040) in June 2025. The attackers gained unauthorized access to one of the company's Salesforce databases, which contained contact information of business partners.
The attack was based on a sophisticated voice phishing campaign in which the hackers posed as internal IT employees. Through targeted phone calls, they convinced Google employees to install a manipulated version of the Salesforce Data Loader. This software allowed the attackers access to the database until the incident was discovered. According to the Google Threat Intelligence Group (GTIG), the stolen data included business contacts and customer data, but no payment information or personally identifiable user data. Critical company systems remained unaffected.
Experts warn that the obtained data could be misused for further phishing attacks. The incident highlights the dangers of social engineering, as the vulnerability lay not in the technology but in human credulity. Employees trusted the supposed IT instructions without sufficient verification. This shows that even technology giants with robust security measures are vulnerable to such attacks.
So far, there are no indications that ShinyHunters have demanded ransom, although the group has been known for such practices in the past. Google has taken measures to close the security gap and emphasizes that the company's most important systems remain secure. Nevertheless, the incident underscores the need to regularly train employees in recognizing social engineering attacks and to strengthen supply chain security protocols.
The cyber community is closely monitoring developments, as the attack demonstrates how effective simple deception tactics can be even against highly technological companies. Google has announced that it will further improve its security measures to prevent future attacks.
