Google Breach Exposes Millions of Prospective Ads Client Records – Hackers Demand Bitcoin Ransom

Listen to this Post

Featured Image

Introduction

In a major cybersecurity incident, Google has confirmed that one of its corporate Salesforce CRM systems—housing data on potential Google Ads customers—was compromised by the notorious hacking group ShinyHunters. The breach, which involved a staggering 2.55 million records, underscores the persistent threat posed by financially motivated cybercriminals leveraging sophisticated social engineering tactics. While no sensitive financial or advertising account data was exposed, the incident serves as yet another reminder that even the world’s most powerful tech giants are not immune to targeted attacks.

the Incident

Google’s Threat Intelligence Group revealed that in June, one of its Salesforce database instances—primarily used for storing small and medium business contact information and sales-related notes—was accessed without authorization by ShinyHunters (also known as UNC6040).

According to Google’s statement:

The compromised database stored business names, phone numbers, and related sales notes.
The data, though largely public in nature, was accessed during a short breach window before Google shut down the intrusion.
No financial data, advertising campaign information, or sensitive account credentials from Google Ads, Merchant Center, or Google Analytics were affected.

ShinyHunters claimed responsibility for the breach and alleged a partnership with the group Scattered Spider, dubbing their alliance “Sp1d3rHunters.” They initially demanded 20 BTC (approximately \$2.3 million) but later stated that the ransom demand was “a prank.” Despite this claim, the hackers are believed to have used custom-built tools to expedite the extraction of Salesforce data.

Google’s investigation linked the breach to a larger campaign by UNC6040, a financially driven threat group that frequently targets Salesforce systems via voice phishing. This involves posing as IT support staff, particularly targeting employees in English-speaking regions, and tricking them into granting access or approving malicious Salesforce Data Loader applications. Once access is secured, attackers can siphon entire databases—sometimes waiting months before initiating extortion attempts.

The hackers’ methodology is heavily based on social engineering: stealing employee credentials or exploiting OAuth app permissions to gain database access, after which they attempt to pressure victims through intimidation tactics.

Google has notified all impacted parties and continues to monitor UNC6040’s activities closely.

What Undercode Say:

This breach is a textbook example of the evolving nature of cyber threats targeting enterprise SaaS platforms like Salesforce. While many organizations focus on securing their primary systems, attackers are increasingly shifting to third-party platforms where security postures may not be as stringent—or where trust is often implicitly granted.

The incident also reveals several critical points for analysis:

1. Public Data vs. Perceived Impact

Although Google insists that the stolen information was “largely publicly available,” the aggregation of such data into a structured, ready-to-use CRM format significantly increases its value. For attackers, this dataset could be repurposed for targeted phishing campaigns or competitive intelligence gathering.

2. Third-Party Platform Risks

The reliance on Salesforce as a central sales and customer management tool means any breach within that environment has a direct pathway to sensitive business pipelines. Even if no financial data is taken, the reputational and operational damage can be substantial.

3. Social Engineering at Scale

UNC6040’s approach of impersonating IT support to trick employees highlights the importance of continuous security awareness training. Traditional firewalls and endpoint defenses cannot stop a well-crafted phone call to a distracted employee.

4. The Psychology of “Prank” Ransoms

ShinyHunters’ claim that their \$2.3M ransom demand was a prank could be an attempt to downplay the seriousness of their crime while still extracting media attention. This tactic might also mask failed negotiation attempts or internal disputes among attackers.

5. Custom Data Theft Tools

The mention of a “custom tool” for exfiltrating Salesforce data indicates a level of technical sophistication that allows them to bypass or minimize detection during the theft process. This could mean similar attacks are ongoing against other companies without public disclosure.

6. Collaborative Cybercrime

The partnership between ShinyHunters and Scattered Spider illustrates how cybercrime groups are increasingly pooling resources, blending technical capabilities with social engineering expertise to maximize their attack efficiency.

7. Potential Long-Tail Consequences

Even if Google contained the breach quickly, the stolen dataset could circulate in underground markets for years, enabling identity theft, corporate espionage, and highly targeted scams.

8. Regulatory Pressure

Incidents like this may push regulators in both the US and EU to impose stricter security compliance standards for SaaS providers and the enterprises using them, especially in industries handling large volumes of customer data.

In essence, this breach is less about the data stolen and more about what it represents: the vulnerability of cloud-based business systems in the face of persistent, well-organized cybercriminal operations.

🔍 Fact Checker Results

✅ Verified: Google confirmed the breach involved a Salesforce CRM system used for prospective Google Ads clients.
✅ Verified: ShinyHunters claimed responsibility and demanded 20 BTC, later calling it a prank.
❌ Not Verified: The exact number of 2.55M records has not been independently confirmed beyond hacker claims.

📊 Prediction

Given UNC6040’s targeted focus on Salesforce environments and their successful breach of Google, it is likely that similar attacks will surface in the coming months against other Fortune 500 companies using Salesforce. Expect to see more sophisticated social engineering campaigns paired with automated data extraction tools, with attackers possibly shifting toward ransom-free “data sale” models to avoid direct extortion exposure.

Do you want me to also adapt this to SEO-optimized structure so it ranks higher in Google News? That would require some targeted keyword placement without sacrificing natural flow.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon