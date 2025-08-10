Google has revealed more details about an attack on one of its corporate Salesforce instances. The company now says that the attack exposed user data of Google Ads customers.

The security issue was spotted by Google Threat Intelligence Group (GTIG) back in June. Activity by UNC6040 – described as a financially motivated threat cluster that specializes in voice phishing (vishing) – hit Salesforce and subsequent investigations have revealed the extent and impact of the attacks.

Google has now contacted affected customers via email after the company analyzed what happened and took mitigating action. As reported by Bleeping Computer, the email says:

We're writing to let you know about an event that affected a limited set of data in one of Google's corporate Salesforce instances used to communicate with prospective Ads customers. Our records indicate basic business contact information and related notes were impacted by this event.

This will be of great concern to Google Ads customers, and anyone thinking of becoming one. For such a large corporation to fall victim to such an attack is somewhat unusual, but particularly a global technology company with a vested interest in security.

Targeting Google Ads customers

In a blog post about data extortion, Google explains how the attack works and goes on to say:

In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off. The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.

Although Google seems to be attempting to downplay the impact of the attack by describing the data that was accessed as being “largely public”, it does not provide any detail about the type of quantity of exposed data that was neither basic nor public. This is the data that will be a cause for concern.

Google says that it has now completed the process of contacting anyone whose data has been involved in this attack – so if you’ve not heard anything yet, you should have nothing to worry about.

The perpetrators of the attacks are known to be ShinyHunters, threat actors who have been targeting Salesforce customers for some time.

Communicating with Bleeping Computer, the attackers said that they had been able to steal around 2.55 million data records, but it is not clear how many customers these relate to.

DataBreaches.net reports that the group sent an extortion demand to Google. It was seeking millions of dollars not to leak the data; neither Google nor the attackers have said whether any ransom was paid, or if payment was even considered.

Google has a number of tips for organizations to help strengthen their security: