COMMENTARY: Even a company like Google, a leader in digital security and a proud owner of expensive security technologies, can get breached not by a complex zero-day exploit, but by a simple phone call.
That's the reality of a recent data breach where the tech giant fell victim to a supply chain attack on its
Salesforce database.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
The culprit? A financially-motivated cybercrime collective known as
ShinyHunters, a group notorious for high-profile data theft and extortion. This incident serves as a clear reminder that in our interconnected digital world, the security of a major corporation is often only as strong as its weakest link, frequently a third-party vendor—or a single unsuspecting employee.
It's a trend we see with increasing frequency, where attackers target the human element to gain access to seemingly impenetrable environments. The same playbook was used in a series of attacks on Okta, the very provider of identity and access management security for countless companies, demonstrating that even the gatekeepers of digital identity are not immune to these tactics.
The anatomy of the attack: A vishing masterclass
ShinyHunters, a threat actor also tracked by Google's Threat Intelligence Group (GTIG) as UNC6040, has refined its tactics to bypass traditional security measures. Instead of exploiting technical flaws in Google's infrastructure, the group focused on a much more effective vector: social engineering. The attack was a sophisticated campaign that relied on a technique known as voice phishing, or "vishing."
The attackers initiated a targeted phone call to a Google employee, impersonating IT support from either Google or Salesforce. Through a combination of deception and urgency, they tricked the employee into performing a series of actions that ultimately granted them access.
One of the primary tools in this scheme was a fraudulent version of Salesforce's Data Loader application. The victim was convinced to install this malicious app, which was then used to exfiltrate data from Google's Salesforce instance. This method cleverly sidesteps traditional security controls, including multi-factor authentication (MFA), because the employee is unknowingly authorizing the access themselves.
Google's own threat intelligence analysis revealed that the attacks did not exploit a flaw in Salesforce's software but rather, the "human element," proving that no system is immune to manipulation.
The leaked data and Google’s response
Google’s internal investigation confirmed that the breach was contained to one specific corporate Salesforce instance used to manage communications with prospective Google Ads customers. The data retrieved by the hackers was limited to basic and largely publicly available business information, such as business names, phone numbers, and related notes. While the group claimed to have exposed as many as 2.55 million records, Google has not officially confirmed a specific count.
Crucially, Google’s analysis found that no sensitive or financial data was compromised. The company reassured its users that there was no impact on core Google services, including Google Ads accounts, Merchant Center, or Google Analytics. Upon discovering the activity, Google's security teams responded swiftly by terminating the attackers' access, performing a comprehensive impact analysis, and implementing new mitigations. The company then completed email notifications to all affected entities by August 8, 2025.
Parallels in the security world: The Okta incident
The Google breach did not occur in a vacuum. It’s part of a broader, more aggressive trend of social engineering attacks against major tech companies.
A strikingly similar pattern was seen in a series of incidents targeting Okta, the identity and access management provider. In one instance, a threat actor group known as Scattered Spider (UNC3944), which has been linked to similar campaigns as ShinyHunters, targeted Okta's customers. The attackers impersonated IT staff and, through vishing, tricked employees into resetting MFA for highly privileged accounts. By doing so, they gained access to the customers' Okta instances, which served as a gateway to their wider corporate networks.
These breaches are not a coincidence. The attackers behind these campaigns are increasingly collaborating, with some reports even referring to them as "Sp1d3rHunters," leveraging their combined social engineering expertise to compromise CRM and identity management environments. The Okta incident is particularly telling, as it proves that a companies specializing in security are just as vulnerable to these tactics as any other, reinforcing the fact that a strong security posture must account for both technical and human vulnerabilities.
Supply chain and compliance risks for all
This breach serves as a powerful case study in the inherent risks of modern digital supply chains. Google, despite its advanced security resources, was compromised not by a direct attack on its internal systems, but by a weakness in the use of a third-party service. This incident underscores the reality of a shared security model, where a company’s security is inextricably linked to its vendors and how its employees interact with those vendors’ systems.
From a compliance and regulatory standpoint, the incident, while not compromising highly sensitive data, still carries significant weight. The exposure of business contact information can trigger data protection regulations such as GDPR or CCPA, which require companies to notify affected parties and potentially face fines.
We can also view the attack as a result of a social engineering failure because of a lapse in due diligence, as companies are expected to implement robust training and security protocols to protect against such known threats.
The breach represents a clear call to action for all organizations, urging them to move beyond perimeter defenses and focus on fortifying the human element, which remains the most significant variable in cybersecurity. This Google breach and similar incidents like the one involving Okta are powerful reminders that in our connected world, the weakest link is often not a piece of technology, but the person operating it.
Shira Shamban, vice president of cloud, CYESC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
