What Happened

In June, Google confirmed that its internal Salesforce system was breached. The revelation came through Google’s Threat Intelligence Group, which identified the cybercriminal group behind the attack as ShinyHunters, also known as UNC6040. This group is known for targeting large corporations using unconventional tactics.

The compromised database held sensitive customer relationship management data. Specifically, it contained contact details and internal notes related to Google's small and medium sized business customers. These are companies that rely heavily on Google’s infrastructure and services to run their operations. Although Google acted quickly, the attackers managed to extract data during a brief window of unauthorized access.

What Was Stolen

Google clarified that the exposed information was limited to basic business details. This includes names of companies, email addresses, phone numbers, and internal communication notes logged by sales teams. In most cases, this type of data is publicly accessible or relatively easy to gather. Still, having it centralized and organized makes it more valuable for further targeted attacks.

The company has yet to disclose exactly how many businesses were affected. However, the impact could be widespread, especially given the number of SMBs in Google’s ecosystem. Even if the data seems basic, its misuse can lead to phishing campaigns or impersonation attempts.

How It Went Down

The investigation revealed that attackers used voice phishing, often called vishing, to deceive employees. In this case, the cybercriminals posed as trusted internal figures or service providers. By sounding legitimate and pressing for urgent action, they managed to convince employees to unknowingly grant them access to the Salesforce platform.

Once inside, ShinyHunters acted quickly. They navigated the system, located customer data, and exfiltrated it before detection tools could respond. The breach was short-lived but effective. This was not a case of a technical vulnerability, it was social engineering at work.

Not the First and Will Not Be the Last

This breach fits into a larger trend. ShinyHunters has previously attacked high-profile brands including Qantas, Allianz Life, Cisco, Adidas, Dior, Louis Vuitton, and Pandora. Their pattern is consistent: target cloud based systems, exploit human behavior, and move quickly.

The group does not rely on malware or brute-force methods. Instead, they prey on the weakest link in any system, people. Their focus on CRM platforms is strategic, as these platforms house detailed, organized information that is gold for attackers.

What It Really Means

If a company like Google can fall victim to vishing, others are even more vulnerable. The real danger lies in how the attackers got in. This is not just a tech issue, it is a human issue. No firewall or encryption method can protect against someone voluntarily giving up access under false pretenses.

The Human Element

This breach highlights a critical truth in cybersecurity. Training matters. Security tools are essential, but so is preparing people to spot manipulation. Regular simulations, clear response protocols, and open communication during crises can make a real difference.

In Summary

Google experienced a CRM-related breach in June, exposing SMB customer data. The attack was executed through voice phishing, not a technical flaw. It follows a pattern seen in other global companies. The biggest vulnerability remains the human element. Real security begins with awareness.