In the age of AI, is anyone safe from cyberattacks? \n\nLast week, Google revealed that customer data had been stolen in a successful cyberattack.\n\nWhile major data breaches are becoming more common, many raised an eyebrow as one of the world’s most powerful tech companies succumbed to the hack.\n\nThe attack occurred in June of this year and targeted a Google corporate database run by Salesforce.\n\nA statement released by the Google Threat Intelligence Group (GTIG) confirmed that the database in question was \"used to store contact information and related notes for small and medium businesses.\"\n\n\"Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off.\"\n\nThe data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.\n\nThe attack is believed to have been orchestrated by the ShinyHunters ransomware group, also known as UNC6040: a well-established hacking collective.\n\nIndeed, Cyber Security News is reporting that ShinyHunters has unofficially taken responsibility for the attack, claiming to have stolen approximately 2.55 million customer data records.\n\nWhile no specific examples of these data records have been made public yet, the group’s typical strategy is to create a data leak site, which is used to target and extort victims with demands for bitcoin ransom payments.\n\nIn an update posted on the official GTIG blog on August 8th, the organization announced that it had \"completed its email notifications to those affected by this incident.\"\n\nHow the Attack Happened\n\nWhen envisaging how the attackers went about infiltrating Google’s databases, you’d be forgiven for picturing some sort of technological wizardry.\n\nHowever, it was actually voice phishing (vishing), one of the more traditional tools in the hacker arsenal, that was Google’s undoing.\n\nVishing is tried and tested for a reason. Rather than trying to navigate robust software defenses, the phone scam targets human vulnerabilities.\n\nIn this instance, the attackers posed as IT support staff to trick administrators into installing a malicious version of Salesforce Data Loader, disguised under names such as \"My Ticket Portal.\"\n\nThe genuine Data Loader is a trusted desktop tool capable of extracting, updating, or deleting Salesforce data, making it a powerful target.\n\nThe fake application mimicked the legitimate tool, reusing OAuth credentials to bypass consent screens and gain access to the organization’s backend.\n\nFrom there, the attackers could quietly obtain sensitive data.\n\nIn discussing how the breach came about in a LinkedIn post, Anshul Verma, President of Cynoteck Technology Solutions, stressed:\n\n\"This isn’t a Salesforce vulnerability – it’s a human-centric breach, exploiting trust and familiarity.\"\n\nHow to Stop Such Attacks from Happening to Your Business\n\nKnowing how the attack happened is all well and good, but what really matters is figuring out how to prevent it from happening again.\n\nVerma explains how, although companies like Salesforce have powerful security measures in place, these are of no use unless they are configured correctly.\n\nIn an extensive list of how to limit the likelihood of cyberattacks, he outlined the importance of only downloading software, tools, and apps from known sources.\n\nOf course, this was the downfall of the Google hack. Had the customers checked directly with Salesforce, they would have discovered that Data Loader is available within the CRM itself, so there would have been no need to access it via a different source.\n\nVerma is just one of many IT and security professionals who have spoken out following the confirmation of the breach.\n\nSpeaking in a Forbes article, Dray Agha, Senior Manager of Security Operations at Huntress, explained how any use of third-party vendors comes with risks, commenting:\n\n\"Businesses must rigorously vet and continuously monitor all vendors with access to their data.\"\n\nAgha also advocated for enhanced security awareness training and tighter access controls, particularly for cloud platforms managing sensitive customer data.\n\nAlthough the Google incident wasn’t an especially sophisticated attack, in an AI era, hackers have more advanced weapons than ever before.\n\nThere is no doubt that the above advice will certainly limit the likelihood of an attack, but it is almost impossible to make your company completely bulletproof.\n\nFor most, it is no longer a case of will it happen, but when will it happen.\n\nThis is why businesses must also allocate time and resources to a best-in-class, fully tested Incident Response Plan.\n\nAfter all, if it can happen to Google, it can happen to anyone.

The Google-Salesforce Customer Data Breach: What Really Happened?

Google revealed a cyberattack in June 2025 that compromised customer data stored in a Salesforce corporate database. The breach was carried out via voice phishing (vishing), where attackers impersonated IT support and tricked administrators into installing a malicious version of Salesforce Data Loader. The threat actor, ShinyHunters (UNC6040), is believed to have stolen approximately 2.55 million customer records, primarily consisting of basic business contact information. Google confirmed the incident and completed email notifications to affected parties by August 8, 2025. Experts emphasize that the breach was not due to technical flaws in Salesforce or Google’s systems, but rather a human-centric failure involving trust and poor vendor vetting. Recommendations include only using software from trusted sources, conducting regular security awareness training, and implementing robust incident response plans.