Google is one company you would not expect to fall to a social engineering attack. With world-class security teams and advanced defenses, it stands as one of the hardest targets in the industry. Yet attackers still found a way in, proving that no organization is immune when the focus shifts from breaking systems to manipulating people.
This breach did not come from a flaw in Google’s infrastructure. It began with a third-party platform tied to Google’s operations and relied on exploiting human trust. It is a clear reminder that even the most secure companies can be compromised when attackers aim at the human element instead of the technology.
How the Breach Happened
The attackers targeted a corporate Salesforce instance used by Google to manage contact information and notes for small and medium-sized businesses, mainly prospective Google Ads customers. The threat group, identified as UNC6040 and linked to the ShinyHunters and Scattered Spider cybercrime groups, used a voice phishing technique known as vishing.
In this attack, criminals posed as Google IT support staff and made direct phone calls to employees. During these calls, they convinced victims to authorize a malicious application connected to Salesforce. The technique took advantage of a legitimate Salesforce feature that allows external applications to be linked to user accounts.
The attackers either deployed a trojanized version of Salesforce’s Data Loader application or used a custom Python script. Once access was granted, they were able to extract data without triggering standard intrusion alarms. This bypassed many of the technical defenses that organizations rely on.
What Data Was Taken and Who Is Impacted
According to Google, the stolen data consisted mainly of basic business information such as names and contact details. The company stressed that no payment data or customer account details from Google Ads, Merchant Center, or other advertising products were affected.
However, the attackers claim to have stolen approximately 2.55 million records. It is unclear whether this figure includes duplicates, but it suggests the breach may be more extensive than Google’s description of “largely publicly available” data. Google has been emailing notifications to affected customers.
Part of a Larger Campaign
The breach is one incident within a broader campaign of data theft and extortion targeting major corporations. Groups like ShinyHunters have been linked to similar attacks against Cisco, Adidas, Qantas, Allianz Life, and luxury brands under LVMH such as Louis Vuitton and Dior.
The playbook is consistent: steal data, then contact the victim with a ransom demand, often payable in Bitcoin, and set a short deadline to create pressure. For Google, the group allegedly demanded 20 Bitcoins, valued at more than two million dollars. They later claimed the ransom request was a prank, though their history shows they have carried out real extortion in many other cases. Attackers often use public data leak sites to shame victims and force payment.
The Irony and the Lesson
In June, just one month before this breach, Google’s Threat Intelligence Group had issued a warning to other companies about this very type of vishing attack. The warning described the tactics of UNC6040 in detail. Despite having published this guidance, Google itself fell victim to the same playbook shortly afterward.
This event shows that social engineering can succeed even against companies with advanced security teams. The attackers did not break into Google’s systems through a software flaw but instead persuaded employees to give them access.
How Companies Can Protect Themselves
Cybersecurity experts and Google have pointed to several areas where organizations should focus to reduce the risk of similar attacks:
- Employee Awareness and Training
Employee Awareness Training must be continuous and realistic. Staff should be trained to recognize the signs of vishing, such as unsolicited requests for system access, even if the caller claims to be from internal support. - Tighter Access Controls
Limit system and application access to only those who truly need it. Implementing strong Identity and Access Management (IAM) solutions helps enforce this by controlling who can access what, when, and how. Reducing the number of users with elevated privileges makes it harder for attackers to find weak points to exploit. - Stronger Multi-Factor Authentication Policies
MFA remains vital, but this case shows that MFA can be undermined if employees authorize malicious applications. Policies should include monitoring and restricting new app integrations. - Proactive Monitoring and Fast Response
Google was able to detect and stop the attack relatively quickly, which limited the damage. Organizations should invest in systems that can identify suspicious access patterns in real time.
A Human-Centric Threat
This breach reinforces the fact that the weakest link in cybersecurity is often human trust. Technical defenses are necessary, but they must be matched with a strong security culture that encourages skepticism and verification. No matter how advanced the technology, people remain a key point of failure if they are not adequately prepared to handle social engineering attempts.
