Google Hacked – 2.5 Million Google Ads Business Records Exposed in Salesforce Breach

ByEunice Mwei

In June 2025, Google confirmed a breach affecting a corporate Salesforce instance tied to its Google Ads operations, resulting in the exposure of approximately 2.5 million business records. The leaked data included names, contact details, and internal notes — mostly public-facing business information — but experts warn that the breach still poses a significant extortion and social engineering risk.

Who’s Behind the Breach?

A joint operation by the notorious hacking groups ShinyHunters and Scattered Spider, who referred to themselves as “Sp1d3rHunters” during the attack, has claimed responsibility. Both groups are well known for high-profile corporate breaches and sophisticated social engineering campaigns.

How the Attack Happened

Investigators report that the attackers used advanced vishing (voice phishing) techniques to trick targeted Google Ads employees into approving a malicious connected app in Salesforce.
Once inside, they:

  • Deployed a modified Salesforce Data Loader to siphon large volumes of data.
  • Used custom Python scripts for targeted queries and extraction.
  • Routed all activity through TOR and Mullvad VPN to evade detection.

What Was Stolen

The exposed dataset reportedly includes:

  • Business names
  • Contact information (emails, phone numbers)
  • Internal account notes

While most of the data is publicly available through various channels, the context provided by internal notes could make targeted scams, phishing, and impersonation attempts more convincing.

The Ransom Demand

The attackers demanded 20 BTC (roughly $1.2 million USD at the time) in exchange for not releasing the data — claiming the demand was “for the lulz”. At this stage, it is unclear whether the ransom was paid, but portions of the data have reportedly surfaced in underground forums.

Why This Matters

Even though the information is largely public, the breach highlights a growing attack vector:

  • Cloud SaaS integrations (like Salesforce) are becoming a prime target.
  • Sophisticated social engineering remains one of the most effective breach enablers.
  • Public business data can still be weaponized for fraud, extortion, and reputational damage.

Security takeaway: Enterprises must tighten app integration permissions, enforce multi-factor verification for connected apps, and invest in employee training to spot vishing attempts.

Leave a Reply

Your email address will not be published. Required fields are marked *