A recent breach involving a third-party Salesforce system used by Google has sparked an unusual escalation. Although no Gmail inboxes, passwords, or internal Google systems were accessed, attackers gained entry to a sales database that included names, phone numbers, email addresses, and internal notes related to small business clients. This type of data is often used to fuel impersonation and phishing campaigns.

Shortly after Google confirmed the breach, a group calling itself Scattered LapSus Hunters published a public demand on Telegram. The group called for Google to fire two named employees from its Threat Intelligence team and to halt its internal investigation into the breach. They threatened to release additional information if their demands were not met. So far, they have not provided any evidence that they possess more data or have access to core Google systems.

Google has acknowledged the original Salesforce-related incident but maintains that the breach was limited in scope and did not affect user-facing services or accounts.

What Was Breached and How

The data was exposed through a Salesforce-connected application used by Google’s sales teams to manage outreach and lead tracking. The attackers reportedly used voice phishing tactics to impersonate trusted personnel and gain access to this environment. Google confirmed that only sales engagement data was affected, which includes business contact information and records of communication.

The group responsible for the breach, ShinyHunters, has a history of targeting third-party systems rather than going after core infrastructure directly. In this case, they exploited the OAuth connections between Salesforce and internal business systems, which allowed them to bypass traditional defenses.

How This Impacts Us

For Users

Although the breach did not expose login credentials, the risk is not zero. The exposed information makes targeted phishing and impersonation more believable. Users, especially those who interacted with Google’s business sales teams, may receive emails or phone calls that appear legitimate. These attempts can be used to gain further access or trick users into sharing sensitive information.

Google has recommended that users enable two-factor authentication, preferably through an app or passkey, and avoid clicking links or sharing credentials based on unsolicited outreach.

For Organizations

This incident highlights how attackers are shifting their focus. Instead of going after hardened internal systems, they are exploiting trusted third-party environments and indirect channels. Even if a company’s primary infrastructure is secure, the tools and platforms it connects to may present easier paths for intrusion.

It also introduces a new kind of risk. The public naming of employees and threats directed at corporate investigations show how cyberattacks are evolving into reputational pressure campaigns. These tactics aim to create confusion, hesitation, and fear inside the organization, even if the technical damage is limited.

For the Broader Risk Landscape

Incidents like this raise questions about vendor risk management and investigative integrity. The breach occurred through a tool used every day by thousands of companies, not because of a flaw in Google’s core systems. This kind of lateral risk needs to be considered in third-party security reviews and incident planning.

Although no immediate regulatory action is expected, companies in regulated industries may face additional scrutiny around how they monitor and respond to vendor-related breaches. If future incidents reveal deeper access or delays in reporting, the regulatory picture could shift.

The post Hackers Threaten Google Following Data Exposure appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Rebecca Kappel. Read the original post at: https://www.centraleyes.com/hackers-threaten-google-following-data-exposure/