Google has confirmed a significant data breach involving information about potential Google Ads customers. The breach targeted one of the company’s Salesforce CRM instances, which is used to manage and track communication with prospective advertisers.
According to Google, the attack took place in June 2025 and was carried out by the hacking group known as ShinyHunters, also referred to as UNC6040 or “Sp1d3rHunters.” The hackers used voice phishing (vishing) tactics to trick employees into revealing access credentials. This social engineering method enabled them to bypass normal security measures and infiltrate Google’s systems.
How the Breach Occurred
Once the attackers gained access to the Salesforce CRM platform, they exfiltrated approximately 2.55 million records. These records included business names, phone numbers, and internal notes and details from sales conversations
No Google Ads account credentials, payment data, or passwords were exposed. However, the leaked information can still be highly valuable to cybercriminals because it can make phishing and impersonation attacks far more convincing.
Security researchers have warned that this type of CRM breach allows attackers to build detailed profiles of targeted businesses. By using the stolen communication history, scammers can impersonate Google staff with alarming accuracy.
Part of a Larger Campaign
The breach is not an isolated case. It is part of an ongoing campaign targeting organizations using Salesforce platforms. In recent months, the same hacking group has been linked to attacks on Pandora, Qantas, Allianz Life, Chanel, and other high-profile companies.
ShinyHunters has claimed responsibility for stealing similar data from multiple firms, often selling the information on underground forums. In at least one incident connected to these campaigns, a small business reportedly paid a ransom worth 4 Bitcoin (around $400,000) to stop its data from being leaked.
Google’s Response
Google stated that it detected the intrusion quickly and revoked the attackers’ access. The company implemented immediate security measures and began notifying affected individuals and businesses by email.
The notifications advise recipients to stay alert for suspicious messages, calls, or offers claiming to be from Google or its partners. Even though no financial data was taken, the details exposed can be weaponized in future scams.
Risks to Businesses
While the stolen records may not contain direct financial information, the reputational and operational risks are significant. Possible consequences include:
- Phishing campaigns designed to harvest login credentials or payment details.
- Social engineering scams using internal CRM notes to make fake offers or requests appear legitimate.
- Business email compromise (BEC) attempts targeting company executives.
The combination of contact information and sales history makes this data particularly dangerous in the wrong hands.
Protecting Against Similar Attacks
Security experts recommend that businesses take the following precautions in light of the breach:
- Educate employees on spotting and handling vishing attempts.
- Enforce multi-factor authentication (MFA) for all accounts.
- Regularly audit CRM access logs for unusual activity.
- Limit user permissions to only what is necessary.
By strengthening both technical controls and staff awareness, organizations can reduce the likelihood of falling victim to similar attacks.
Final Thoughts
The Google Ads data breach underscores the persistent threat of social engineering in corporate cyberattacks. Even when attackers do not steal passwords or financial information, they can still exploit leaked business records for fraud, phishing, and impersonation schemes.
As this breach shows, protecting customer relationship management systems must be a top security priority. Businesses that engage with large platforms like Google Ads should remain vigilant, verify all communications, and implement layered defenses to prevent similar incidents.
