Google Confirms Data Breach Involving Potential Google Ads Customers
Google has confirmed that a recent data breach in one of its Salesforce CRM systems exposed the information of potential Google Ads customers.
“We’re writing to let you know about an event that affected a limited set of data in one of Google’s corporate Salesforce instances used to communicate with prospective Ads customers,” reads a data breach notification shared with BleepingComputer.
“Our records indicate basic business contact information and related notes were impacted by this event.”
Information Exposed in the Breach
Google stated that the exposed data includes business names, phone numbers, and “related notes” for a Google sales agent to follow up. The company clarified that no payment information was compromised.
It also confirmed that the breach did not affect data stored in Google Ads accounts, Merchant Center, Google Analytics, or other Ads-related products.
Who Was Behind the Attack?
The attack was carried out by threat actors known as ShinyHunters, a group linked to multiple Salesforce-related data theft incidents. They claimed the stolen database contains around 2.55 million records, though it is unclear if there are duplicates.
ShinyHunters told BleepingComputer they worked with members of another hacking group, Scattered Spider, to gain initial access to targeted systems.
“Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same,” ShinyHunters told BleepingComputer.
“They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake.”
The group now calls themselves “Sp1d3rHunters” to reflect the overlap between the two groups.
How the Breach Happened
The hackers reportedly used social engineering tactics to trick employees into giving away credentials or authorizing a malicious version of Salesforce’s Data Loader OAuth app. Once inside, they downloaded the full Salesforce database and sent ransom emails threatening to release the stolen data.
Google’s Threat Intelligence Group (GTIG) first reported similar Salesforce breaches in June. The company itself fell victim a month later.
Extortion Attempt
Databreaches.net reported that the attackers demanded 20 Bitcoins (around $2.3 million) from Google to avoid leaking the stolen information.
“I don’t care about ransoming Google anyway, I just sent them a bogus email for the lulz of it,” said the threat actor.
ShinyHunters revealed they are now using a custom-built tool to steal data from Salesforce more efficiently. Google confirmed they have seen hackers using Python scripts in place of Salesforce’s Data Loader during recent attacks.
Also read: ABDM Introduces Strong Cybersecurity Steps to Safeguard Digital Health Records