“Google Confirms Data Breach Exposed Potential Google Ads Customer Information”
Google has confirmed a data breach involving one of its corporate Salesforce CRM instances used for communicating with potential Google Ads customers. The incident exposed basic business contact details but did not affect financial or active Ads account data.
In a data breach notification sent to affected parties and shared with BleepingComputer, Google stated:
“We’re writing to let you know about an event that affected a limited set of data in one of Google’s corporate Salesforce instances used to communicate with prospective Ads customers.”
The impacted information includes:
- Business names
- Phone numbers
- Related sales notes for follow-up by Google sales representatives
Google confirmed that no payment data or Ads product account data (including Google Ads, Merchant Center, and Google Analytics) was compromised.
Linked to ShinyHunters and Scattered Spider
The breach is tied to the hacking group ShinyHunters, known for a recent surge in Salesforce-targeted attacks. The group claims the stolen data contains around 2.55 million records, although it is unclear how many may be duplicates.
ShinyHunters told BleepingComputer they work closely with Scattered Spider, another threat group, for initial access.
“They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake,” ShinyHunters stated.
The groups are now branding themselves as “Sp1d3rHunters”, highlighting their collaborative operations.
Social Engineering and Extortion Tactics
The attacks typically involve social engineering against company employees to obtain credentials or trick them into linking a malicious Salesforce Data Loader OAuth app to the targeted Salesforce environment.
Once access is secured, the attackers download the entire Salesforce database and send extortion emails threatening to leak the stolen information unless a ransom is paid.
These Salesforce-specific attacks were first reported by the Google Threat Intelligence Group (GTIG) in June, and Google itself fell victim the following month.
Ransom Demands and New Tools
According to Databreaches.net, ShinyHunters have already sent an extortion demand to Google. If unpaid, the group might release the stolen data publicly, possibly as a taunt to the company.
ShinyHunters also revealed they are now using a custom-built tool for faster and more efficient data theft from Salesforce systems, replacing the traditional Salesforce Data Loader with Python-based scripts. Google has confirmed seeing these new tools in use.
