Google Salesforce Hack August 2025: What Really Happened? How Businesses Can Stay Safe

On August 5, 2025, Google confirmed a serious data breach involving its internal Salesforce database. This event, orchestrated by the notorious cybercriminal group ShinyHunters, is ringing alarm bells across tech and business communities. Small and medium-sized businesses (SMBs) are particularly affected, but the implications reach far beyond. In this article, we break down how the attack happened, who’s impacted, the hacker group involved, and—critically—what your business must do now to prevent being next.

Image of Salesforce platform.

Summary of the Google Hack: Quick Facts

  • Breach Confirmed: August 5, 2025
  • Attack Window: Data stolen in June 2025
  • Target: Google’s cloud-hosted Salesforce CRM database for SMBs
  • Hacker Group: ShinyHunters (aka UNC6040)
  • Method: Social engineering via voice phishing (“vishing”), not software vulnerabilities
  • Data Stolen: Business contact info, company names, notes—NOT sensitive credentials or billing
  • Motivation: Extortion/ransom attempt, with threat of public leaks
  • Who’s at Risk?: SMBs using Google services, and any firm relying on cloud-based SaaS CRM tools.

How Did the Google Salesforce Hack Unfold?

The Social Engineering Tactics

ShinyHunters leveraged "vishing" to impersonate IT support staff, targeting Google employees. By using sophisticated social engineering, hackers convinced staff to either install a rogue version of the Salesforce Data Loader app or connect malicious third-party applications. This allowed unauthorized access, bypassing normal technical defenses. Crucially, the attack didn’t exploit any software vulnerability; rather, it relied on manipulating human trust.

What Data Was Stolen?

The database accessed by the hackers held mostly business contact data—such as company names, work emails, and CRM notes. Google clarified no evidence exists that highly sensitive information (like payment data, passwords, or private account details) was compromised. The breach impacts SMBs whose records were stored in that Salesforce instance, not regular Google consumer accounts.

Timeline of Events

  • June 2025: Attackers gain access, quietly exfiltrate business contact data.
  • August 2025: ShinyHunters go public and attempt to extort Google, demanding ransom.
  • August 5, 2025: Google confirms and discloses the breach.

Why Social Engineering Succeeded

Social engineering- why it succeeded in this hack. Image representing social engineering.
This breach underscores a vital trend: attackers increasingly target people, not code. By mimicking IT support and exploiting employee trust, they bypass even strong technical controls. No organization—no matter how advanced—can ignore the human factor in cybersecurity.


Who Are ShinyHunters?

ShinyHunters, also known as UNC6040, are well-known for sophisticated social engineering and large-scale data theft. After gaining unauthorized access, they typically demand ransom, threatening public data dumps if not paid. In other cases, similar groups have extracted payments as high as $400,000 in Bitcoin from victims aiming to avoid public exposure of data.

Which Businesses Are Affected?

  • Direct Impact: SMBs whose companies’ business contact data was in Google’s Salesforce database.
  • Potential Indirect Impact: Any company using cloud CRM (e.g., Salesforce), Google Workspace, or similar SaaS tools is vulnerable if staff are susceptible to social engineering and improper app installations.


What Should Impacted Businesses Do Now?
Image of a cybersecurity racoon learning what business should do now.

If you’re a Google SMB customer or use cloud CRM systems, take these steps immediately:

  1. Monitor Email & Google/Salesforce Activity: Look for any breach notifications and unusual logins.
  2. Change Account Passwords: Even if passwords were not stolen, it’s critical hygiene after breaches.
  3. Enable Multi-Factor Authentication (2FA): This blocks most unauthorized sign-ins, even if credentials leak.
  4. Audit Connected Apps: Regularly review what third-party apps are attached to Salesforce/Google Workspace. Remove anything unfamiliar or unused.
  5. Train Staff: Educate on current phishing methods, especially IT “vishing” calls or requests for app installations.
  6. Use Security Monitoring Tools: Google’s Security Checkup and Salesforce’s monitoring tools help spot unauthorized account activity.
  7. Have an Incident Response Plan: Know who to contact internally and externally if suspicious activity or breaches occur.


Extortion and Ransom: Should Businesses Worry?

Immediately after Google’s disclosure, ShinyHunters sent ransom demands, attaching stolen data samples to prove their access. While Google hasn’t confirmed paying any ransom, experience from prior incidents indicates hackers may leak information unless demands are met. The prudent approach for businesses: focus on prevention, response, and never trust unsolicited support calls or app requests.

Security Lessons for Every Organization

The Google hack is a wake-up call:

  • Social Engineering Is the Biggest Threat: Technical defenses are only as strong as your staff’s training and vigilance.
  • Zero-Trust Mindset: Trust no app, no caller—always verify claims, especially if IT support is involved.
  • Audit and Monitor: Review permissions, connections, and unusual account behavior regularly.
  • Backup and Incident Response: Have off-cloud backups and a written incident response plan.


FAQ: Salesforce Hack 2025

What happened in the Google Salesforce data breach 2025?

Google confirmed a data breach targeting its internal Salesforce database managed in the cloud, resulting in the exposure of SMB business contact data after employees were tricked by social engineering.

Who is affected by the August 2025 Google hack?

Small and medium-sized businesses (SMBs) who had their company contact data stored in Google’s Salesforce CRM instance are the primary victims.

Were passwords or sensitive data stolen in the Google Salesforce hack?

No, Google has stated that only basic business contact information was compromised, not passwords, billing details, or private account information.

How did hackers breach Google’s Salesforce data?

Attackers used “vishing” (voice phishing) to impersonate IT staff, convincing employees to install malicious apps or grant app access, thus bypassing technical safeguards.

What should businesses do after the Google Salesforce data breach?

Monitor accounts for signs of unauthorized activity, change passwords, enable 2FA, audit connected apps, and train staff to detect and report social engineering attempts.

Is my personal Gmail affected by the Google Salesforce breach?

No, the breach only involved business contact records managed through Google’s Salesforce database—consumer Gmail and personal data are not impacted.

How can I secure my Salesforce and Google accounts from phishing attacks?

Enable 2FA, regularly review app integrations, educate staff about vishing and app scams, and use security monitoring dashboards to detect anomalies promptly.


Building Zero Trust in 2025: Focusing on the 5 Key Pillars