Google Ads Customer Data Leaked in Salesforce Hack

Red Dog Security

2 min read
Google Ads Customer Data Leaked in Salesforce Hack

Google has confirmed that a recent data breach tied to a Salesforce compromise exposed information belonging to Google Ads customers.

Last week, the company acknowledged it was impacted by a leak attributed to the hacker group ShinyHunters, which in recent months has been systematically targeting Salesforce CRM platforms.

In June 2025, Google’s Threat Analysis Group warned that threat actors it tracks as UNC6040 and UNC6240—also known as ShinyHunters—were using social engineering and vishing (voice phishing) to compromise Salesforce environments and steal customer data. The stolen data has often been used for extortion, with attackers threatening to publish it if ransom demands are not met.

As it turns out, Google itself was hit by a similar attack in June. Hackers infiltrated one of the company’s Salesforce CRM instances and extracted customer data.

“In June, one of Google’s corporate Salesforce instances was affected by similar activity from UNC6040,” the company said. “This instance was used to store contact information and related notes about small and medium-sized businesses. Analysis revealed that the data was extracted shortly before access was revoked. The information obtained was largely limited to basic and publicly available data, such as company names and contact details.”

According to Bleeping Computer, the breach specifically affected Google Ads customers. Google’s investigation determined that the compromised records included company names, phone numbers, and “related notes” used by account managers for follow-ups. The company emphasized that no payment data or information from Google Ads accounts, Merchant Center, Google Analytics, or other advertising products was involved.

“We are reporting an incident that affected a limited set of data in one of Google’s corporate Salesforce instances used for communicating with potential Ads customers,” Google noted in its breach notification. “Our records indicate that basic contact details and related notes were compromised.”

ShinyHunters, active since at least 2020, has been linked to breaches at Oracle Cloud, Snowflake, AT&T, NitroPDF, Wattpad, MathWay, and others. In recent months, similar Salesforce-related breaches have impacted Adidas, Qantas, Allianz Life, several LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Cisco.com, Chanel, and Pandora.

Google has not disclosed how many customers were affected. However, the hackers told journalists they had stolen roughly 2.55 million records and demanded a ransom of 20 bitcoins (about $2.3 million).

“I don’t care about Google’s ransom anyway. I just sent them a fake email for laughs,” a ShinyHunters representative told reporters.

The group also claimed it is working with Scattered Spider, which they say provides the initial system access.

“As we’ve said many times: ShinyHunters and Scattered Spider are the same,” the hackers alleged. “They provide initial access, and we dump and leak data from Salesforce—just like with Snowflake.”

Journalists note the attackers now refer to themselves as Sp1d3rHunters, a hybrid name combining the two groups.

Read more