Overview

• In June, attackers using voice phishing tricked employees into approving a malicious Salesforce Data Loader OAuth app to breach Google’s corporate CRM.
• Google says the intrusion exposed only basic business contact details and related notes for prospective Ads customers, with no payment or core Ads systems affected.
• The company cut off access within a short window, conducted an impact analysis and proactively notified impacted contacts.
• ShinyHunters (UNC6040), now calling themselves Sp1d3rHunters, claim roughly 2.55 million records and reportedly demanded around 20 BTC in extortion.
• Google Threat Intelligence Group warns that attackers have switched to custom Python exfiltration tools and recommends tighter OAuth controls and employee security training.