Overview
- In June, attackers using voice phishing tricked employees into approving a malicious Salesforce Data Loader OAuth app to breach Google’s corporate CRM.
- Google says the intrusion exposed only basic business contact details and related notes for prospective Ads customers, with no payment or core Ads systems affected.
- The company cut off access within a short window, conducted an impact analysis and proactively notified impacted contacts.
- ShinyHunters (UNC6040), now calling themselves Sp1d3rHunters, claim roughly 2.55 million records and reportedly demanded around 20 BTC in extortion.
- Google Threat Intelligence Group warns that attackers have switched to custom Python exfiltration tools and recommends tighter OAuth controls and employee security training.