Google’s 2025 Salesforce Breach: A Major Cyberattack Exposes Advertiser and User Data
In August 2025, Google confirmed a significant data breach tied to its Salesforce CRM platform, one of the most damaging third-party incidents in the company’s history. The attack, attributed to the notorious cybercriminal group ShinyHunters, exploited vulnerabilities in Google’s Salesforce environment to exfiltrate sensitive advertiser and business account data. By September 2025, the breach had been publicly acknowledged, though its full scope remains under assessment.
What Happened?
ShinyHunters, a threat group responsible for high-profile breaches at Ticketmaster, AT&T, and Santander Bank, targeted Google’s Salesforce CRM the system managing advertiser relationships and business communications. The stolen data included:
- Advertiser account details (business contact information, campaign records)
- Internal communication logs
- Customer data linked to Google’s advertising and Workspace operations
Beyond data theft, the group used the stolen information to launch vishing (voice phishing) attacks, impersonating Google representatives to extract further credentials and payments from advertising clients.
Impact and Scale
Early reports indicated millions of advertiser records were compromised, with some cybersecurity researchers linking the breach to a 184-million-credential dataset circulating in dark web forums spanning Google, Apple, and other major platforms. Google has not disclosed an exact number of affected users, a common practice in breach disclosures.
Google’s Response
Google confirmed unauthorized access via a third-party system, stating it had contained the breach, notified affected parties, and cooperated with authorities. The company also urged users to:
- Review saved passwords
- Enable two-factor authentication (2FA)
- Monitor accounts for suspicious activity
However, Google’s statement did not address the post-breach circulation of stolen data on the dark web, where credentials often resurface long after initial containment.
Broader Context: Google’s Breach History
The 2025 Salesforce breach is part of a pattern of security incidents involving Google:
- 2018 Google+ Breach: A software bug exposed 500,000+ user profiles (names, emails, birthdates) for over three years before disclosure. A second breach later that year affected 52.5 million users, leading to Google+’s shutdown.
- 2023 Google Fi Incident: Customer data was compromised via a T-Mobile breach, highlighting supply chain risks.
- 2025 Google Ads Exposure: The Salesforce breach marked the first direct compromise of Google’s advertising infrastructure.
Dark Web Risks and Credential Reuse
Stolen data from breaches like this often migrates to dark web markets, where it’s sold to other threat actors. Google’s Password Checkup tool flags compromised credentials, but it only covers passwords saved in Chrome and known public breaches not private dark web sales or malware logs.
Legal and Regulatory Fallout
Google has faced class-action lawsuits and regulatory fines over past breaches, including:
- A $7.5 million settlement for the 2018 Google+ breach.
- A $5 billion settlement in 2024 over misleading Incognito mode privacy claims.
- GDPR fines (e.g., €150 million in 2022 for cookie consent violations).
Key Takeaways
- The 2025 Salesforce breach exposed advertiser and business data, enabling targeted phishing attacks.
- ShinyHunters’ involvement underscores the sophistication of modern cybercrime.
- Google’s breach history reflects broader industry challenges in securing third-party systems.
- Dark web monitoring remains critical, as stolen data persists long after initial breaches.
The incident reinforces the risks of third-party vulnerabilities and the need for proactive security measures beyond platform-provided tools.
Source: https://www.dexpose.io/google-data-breach/
Salesforce cybersecurity rating report: https://www.rankiteo.com/company/salesforce
"id": "SAL1776084470",
"linkid": "salesforce",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Millions of advertiser records',
'industry': 'Technology, Advertising, Cloud Services',
'location': 'Global',
'name': 'Google',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': 'Third-party vulnerability (Salesforce CRM)',
'customer_advisories': 'Urged users to review passwords, enable 2FA, and '
'monitor accounts for suspicious activity',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 'Millions (exact number '
'undisclosed)',
'personally_identifiable_information': 'Business contact '
'information, customer '
'data',
'sensitivity_of_data': 'High (business contact information, '
'campaign records, customer data)',
'type_of_data_compromised': ['Advertiser account details',
'Internal communication logs',
'Customer data']},
'date_detected': '2025-08',
'date_publicly_disclosed': '2025-09',
'description': 'In August 2025, Google confirmed a significant data breach '
'tied to its Salesforce CRM platform, one of the most damaging '
'third-party incidents in the company’s history. The attack, '
'attributed to the notorious cybercriminal group ShinyHunters, '
'exploited vulnerabilities in Google’s Salesforce environment '
'to exfiltrate sensitive advertiser and business account data. '
'The stolen data included advertiser account details, internal '
'communication logs, and customer data linked to Google’s '
'advertising and Workspace operations. The group also used the '
'stolen information to launch vishing attacks, impersonating '
'Google representatives to extract further credentials and '
'payments from advertising clients.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Advertiser account details, internal '
'communication logs, customer data',
'identity_theft_risk': 'High (vishing attacks, credential reuse)',
'legal_liabilities': 'Potential class-action lawsuits and '
'regulatory fines',
'operational_impact': 'Unauthorized access to advertiser and '
'business communications',
'systems_affected': 'Salesforce CRM platform'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Salesforce CRM platform',
'high_value_targets': 'Advertiser and business '
'account data'},
'investigation_status': 'Ongoing (full scope under assessment)',
'lessons_learned': 'The incident reinforces the risks of third-party '
'vulnerabilities and the need for proactive security '
'measures beyond platform-provided tools.',
'motivation': 'Data exfiltration, financial gain, phishing attacks',
'post_incident_analysis': {'corrective_actions': 'Containment, customer '
'notifications, enhanced '
'security recommendations',
'root_causes': 'Third-party vulnerabilities in '
'Salesforce CRM, insufficient '
'proactive security measures'},
'recommendations': ['Review saved passwords',
'Enable two-factor authentication (2FA)',
'Monitor accounts for suspicious activity',
'Implement dark web monitoring for stolen data',
'Strengthen third-party security assessments'],
'references': [{'source': 'Cybersecurity news reports'}],
'regulatory_compliance': {'fines_imposed': 'Potential (historical fines '
'include €150 million in 2022 for '
'cookie consent violations)',
'legal_actions': ['Class-action lawsuits'],
'regulations_violated': ['GDPR'],
'regulatory_notifications': True},
'response': {'communication_strategy': 'Public acknowledgment, customer '
'advisories',
'containment_measures': 'Contained the breach',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': 'Notified affected parties, urged '
'password reviews and 2FA enablement'},
'stakeholder_advisories': 'Cooperation with authorities, public '
'acknowledgment of the breach',
'threat_actor': 'ShinyHunters',
'title': 'Google’s 2025 Salesforce Breach: A Major Cyberattack Exposes '
'Advertiser and User Data',
'type': 'Data Breach',
'vulnerability_exploited': 'Vulnerabilities in Google’s Salesforce '
'environment'}