Salesforce Scam Hits Google, Adidas, and Major Brands: How Voice Phishing Exposed Corporate Data

Major companies like Google, Adidas, and several well-known brands have been hit by a sophisticated Salesforce scam. Attackers used voice phishing—posing as IT support—to trick employees into giving them access to key corporate databases. These breaches saw criminals move freely inside Salesforce “instances,” copying business contacts and sensitive communications from platforms such as Microsoft 365.

The ShinyHunters group, responsible for these attacks, uses simple but effective social engineering tactics that bypass even strong technical barriers. Their methods highlight how easy it is for a phone call to compromise entire systems, putting both business and customer data at risk. This article breaks down how the scam works, what it has exposed, and steps companies can take to defend against similar threats.

How the Salesforce Scam Unfolded

The breach that hit major brands like Google and Adidas was not a technical assault on firewalls or encrypted networks but rather a low-tech attack exploiting human trust and routine business workflows. Attackers used a mix of clever conversation, technical know-how, and Salesforce’s own integration features to slip past defenses and pull sensitive data straight from company databases.

Role of Social Engineering Tactics

At the core of these attacks was social engineering. The attackers, tied to the group ShinyHunters, posed as IT support staff and contacted employees by phone. They used realistic, urgent stories—like claims of system errors or the need for immediate verification—to push employees into acting fast. The attackers spoke with confidence, often providing some accurate company details to strengthen their credibility.

Once they had the employee’s attention, the hackers walked them through steps that would “resolve the issue.” In reality, these steps set up backdoor access for the attackers. What made this tactic so effective was its simplicity. It did not require malware or fancy hacking tools, just a convincing voice and a believable script. Employees, even at tech-savvy firms like Google, were caught off guard because the requests mirrored everyday support calls.

This style of attack echoes the risks highlighted in new research on voice-based threats. As scammers grow increasingly sophisticated, techniques like deepfake audio only raise the stakes, making it harder for employees to recognize real from fake. For more on analyzing voice scams and audio threats, see the guide on Detecting Deepfake Audio in 2025.

Exploitation of Salesforce Features

The scam succeeded because of a specific Salesforce feature: app integration using an 8-digit code. Salesforce allows users to connect to external apps—tools for mapping data, sending newsletters, or syncing with other business systems—by simply entering this short code.

The attackers took advantage of this by directing employees to input their 8-digit code into what they claimed was a legitimate Salesforce “Data Loader” app. Instead, the app was a fake controlled by the hackers. This step granted the attackers direct access to the company’s Salesforce “instance”—the unique database where customer and business records live.

With this access, hackers could:

• Download contact lists, sales information, and internal notes.
• Move laterally to other connected accounts, like Microsoft 365, potentially exposing even more sensitive data.
• Act quickly before companies could spot and block the unauthorized access.

This method shows the risk of simple integration tools when paired with social scams. The 8-digit code, designed for ease of use, turned into a weak link that the attackers knew exactly how to exploit. The breach at Google, for example, involved access to databases storing details for small and mid-sized business clients, including names and contact data. While the company reported that most stolen details were publicly available, the incident highlights how a routine process can open the door to large-scale data theft when trust is abused.

These incidents remind us that robust security is not just about strong passwords or technical controls. It’s about helping people spot tricks and understand the real risks behind day-to-day tasks.

Companies Impacted by the Salesforce Breach Campaign

The recent Salesforce breach campaign pulled leading brands like Google, Adidas, and several global companies into a wide net of cyberattacks. While the attacks employed simple voice phishing tactics, the consequences reached deep into the internal systems of these organizations. Below, we break down how these breaches unfolded for Google and other major victims, and what technical details stand out from each case.

Details of the Google Salesforce Breach

Google confirmed that its Salesforce database, used to manage contact information and notes for small and medium businesses, was compromised by the ShinyHunters group. Attackers relied on social engineering, posing as IT staff to manipulate employees into granting access.

The breach started with a convincing phone call, where attackers guided Google staff to input an 8-digit integration code into a fraudulent app. This simple action opened the company’s Salesforce instance to the hackers.

Key facts about the Google breach:

• Data accessed: The attackers retrieved details like business names and contact information. Google claims this was mostly basic, public data, though it was pulled directly from internal CRM records.
• Timeline: The compromise occurred within a narrow window before Google security teams identified and shut down the unauthorized access.
• Company response: Google quickly cut off the attackers, investigated the extent of exposure, and issued a public statement confirming the breach. The company emphasized that sensitive customer data was not involved, stating only routine business contact details were accessed. As of now, Google has not disclosed the number of affected customers, and there has been no official word on ransom demands or extortion attempts.
• Security posture: Google insists its technical barriers remain strong. However, the incident exposes how social engineering bypasses even advanced protections.

For background on how voice-based threats are being analyzed and the broader risk to companies, review the analysis on detecting deepfake audio in live calls.

Other High-Profile Victims

Google was far from alone in this campaign. The same methods used by ShinyHunters targeted a range of major brands across different sectors. Each breach followed the same basic script: attackers called employees, posed as support staff, and harvested integration codes to access Salesforce data.

Other companies affected include:

• Adidas: Attackers gained entry to CRM systems, exposing customer and business partner details.
• Fashion brands: Major names such as Louis Vuitton and Chanel were listed among the victims. For these companies, the scams threatened exposure of partner and client contact lists.
• Airlines: Qantas, the Australian airline, faced a breach where millions of passenger details were at risk.
• Insurance firms and retailers: Allianz Life and Pandora were also hit, with attackers pulling CRM and marketing lists from their Salesforce platforms.

Key patterns and differences:

• Most attacks targeted companies with large external integrations, where Salesforce connected to other business apps or communication tools.
• Hackers took advantage of employees’ lack of training on integration processes and the perceived legitimacy of support calls.
• While Google’s breach involved mostly public business data, other incidents (like the Qantas breach) saw far more sensitive information—such as passenger or customer records—compromised and potentially used for ransom demands.
• The campaign’s success hinged less on technical vulnerabilities and more on the speed and confidence of the social engineering used.

This series of incidents points to a growing need for technical controls to be matched with strong employee training and routines that can spot and stop these low-tech, high-risk attacks before they escalate.

The ShinyHunters Group: Who Are They?

Understanding who the ShinyHunters are is key to grasping why their attacks have been so effective. This group’s approach highlights the risks that come when technical defenses outpace employee awareness. Their profile, tactics, and targets reveal a cybercrime group that blends technical skill with psychological manipulation.

Background and Reputation

The ShinyHunters group is recognized as a major force in the cybercrime world. They first appeared on the scene in 2020 and quickly built a reputation for big, public breaches. ShinyHunters is classified as a black-hat hacking collective, meaning their work is illegal, highly organized, and focused on financial gain at any cost. Their operations span a range of targets, from tech giants to global retailers and beyond.

For a deeper look at their origin and history, see the overview of ShinyHunters on Wikipedia, which outlines their activity and lists major cases linked to the group.

Notable Attacks and Victims

ShinyHunters stands out for targeting well-known, high-value organizations. Their previous attacks read like a who’s who of international brands and include:

• Microsoft (reported breaches of private code repositories)
• Tokopedia, the Indonesian e-commerce leader
• Wattpad, a global online publishing platform
• Bonobos, a popular clothing retailer

In each case, ShinyHunters used a mix of social engineering and technical exploits to access large databases. They have also been tied to attacks on Microsoft’s private GitHub code repositories, where they reportedly obtained hundreds of megabytes of sensitive source code. For more details, review this ShinyHunters threat actor profile.

Methods and Techniques

ShinyHunters favor techniques that require more psychology than code. Their recent focus on voice phishing attacks—posing as IT support over the phone—shows how they exploit human trust, not just software flaws. By convincing employees to share access codes or connect third-party apps, they skirt strong technical barriers with simple deception.

Other common techniques include:

• Deploying fake apps or login screens to steal user credentials
• Exploiting weak integration processes in cloud platforms like Salesforce
• Using data extortion tactics, threatening to release stolen data unless paid

ShinyHunters also maintain an active presence on the dark web, where they publish stolen databases and trade access to breached systems. For more on their tactics and dark web footprint, read the dark web profile of ShinyHunters.

Organization and Affiliations

ShinyHunters is not a single hacker but a collective. The group has connections to other cybercrime outfits, such as The Com, known for hacking, extortion, and, at times, direct threats. Their ability to coordinate across different regions and industries makes them a persistent threat, especially to companies with large cloud deployments.

In recent Salesforce attacks, their approach was simple and effective: get inside quickly, grab as much data as possible, and threaten exposure unless payment is made. The group’s recent activity suggests plans for public “leak sites,” a tactic used to pressure companies into paying ransom by threatening to publish stolen data.

Summary Table: Key Facts About ShinyHunters

ShinyHunters’ mix of technical know-how and social skill presents a serious challenge for any business relying on cloud platforms and integrated apps. Recognizing their profile and playbook is the first step toward building smarter defenses.

Consequences and Threats From the Breaches

The Salesforce scam targeting Google, Adidas, and other major brands did more than cause temporary disruptions. The aftermath of these breaches shows how social engineering attacks can have a ripple effect, creating threats that last long after the initial intrusion. Companies are now facing growing technical, financial, and reputational risks as a result.

Immediate Data Exposure

When attackers accessed Salesforce “instances,” they gained the ability to download critical business data with little resistance. Even if the exposed data was mostly public contact information, the way it was collected—directly from trusted corporate systems—makes it more valuable and easier for criminals to exploit.

• Stolen contact records can be combined with other sources to build more effective phishing or fraud campaigns.
• Internal notes may reveal patterns about how firms handle clients, giving attackers additional context for further attacks.
• Access to linked services, such as Microsoft 365, opened the door to private messages, confidential files, and internal business communications.

Attackers can use this information to build profiles on companies and individuals, making future scams and attacks more targeted and believable.

Financial and Operational Impact

The financial consequences of a breach reach beyond direct losses. Companies must often divert resources to investigate and contain the breach, notify clients, and meet legal or compliance obligations. There’s also the real cost of lost trust—clients may reconsider relationships with companies seen as failing to protect their data.

Key financial and operational threats include:

• Investigation and remediation costs
• Legal fees and regulatory fines
• Disruption of business workflows
• Loss of competitive advantage if proprietary information is leaked

For example, businesses affected by scams often see fraud attempts increase following a breach, as threat actors use stolen data to try new schemes. The negative impact on workflow and resource allocation can be significant, as staff must shift to crisis management rather than growth initiatives. These risks mirror challenges seen in other areas where AI tools and data handling intersect, as noted in discussions about how AI is transforming spreadsheet productivity.

Reputational Damage and Client Trust

Reputation is hard to rebuild after a breach. In the wake of these Salesforce attacks, some companies had to admit that customer data, even if not highly sensitive, was taken without consent. When clients learn that their information was exposed due to mistakes in routine processes, their trust erodes quickly.

Common reputational risks include:

• Public disclosure of the breach undermining brand credibility
• News coverage associating the company with lax data security
• Increased customer churn due to perceived neglect

Competitors can use the incident to position themselves as more secure, swaying clients away. In regulated sectors, the reputational fallout can trigger closer scrutiny from oversight bodies, further complicating recovery efforts.

Extortion and Ongoing Threats

Groups like ShinyHunters often use stolen data as a lever for extortion. Victims risk having their information published on so-called “leak sites” if they refuse ransom demands. Even after the initial incident has been contained, the threat remains if attackers release or sell the data later.

Key ongoing threats include:

• Blackmail attempts based on exposed data
• Repeat attacks using inside knowledge of company workflows
• Data being sold to other criminal groups, prolonging the risk

The threat of extortion and repeated targeting means companies must improve both technical controls and employee awareness to reduce the chance of falling victim again.

The Bigger Picture: Industry-Wide Warning

These breaches signal a broader warning to all firms using cloud platforms or integrated systems. A basic phone call convinced employees to hand over keys to corporate data, showing that technology alone is not enough. Without regular training and clear processes, any organization is vulnerable to similar scams.

Staying aware of how cybercriminals use both social and technical tools is essential. As threats evolve, so must company policies and employee habits to prevent the same mistakes from happening again.

Lessons Learned: Preventing Similar Breaches

Major security breaches at brands like Google and Adidas show that even the most advanced systems can fall to simple scams. These incidents prove that companies must go beyond technical defenses and focus on people and process. By recognizing where things broke down, businesses can build stronger routines to keep attackers out—no matter how convincing the voice on the other end of the line might be.

Reinforcing Employee Security Awareness

Well-trained employees are the first, and often most effective, shield against social engineering. The attackers in these cases exploited routine help desk calls and used urgency to get quick results. Security awareness training should not be a one-time task but an ongoing part of the workplace.

Key actions for building an effective security mindset:

• Make security awareness training mandatory for all staff, including executives and contractors.
• Keep training current with real-world examples, like recent voice phishing campaigns and deepfake threats.
• Run regular drills or simulations to test employee responses to social engineering.
• Remind teams that it’s okay to slow down or ask questions when something feels off, even in urgent situations.

For a deeper look at core security training practices, review these 6 important security awareness training practices, which highlight the value of ongoing and mandatory education for everyone in the organization.

Strengthening Technical Controls on Integrations

Many breaches exploited business-friendly features, such as entering short integration codes to connect new apps. These tools prioritize ease, but also create risk when not paired with proper guardrails.

Ways to tighten integration security:

• Limit who can approve or create new integrations within business platforms like Salesforce.
• Require multi-factor authentication (MFA) before allowing sensitive actions or app connections.
• Monitor app connections for unusual activity, such as rapid data exports or connections from new locations.
• Regularly audit which third-party apps have access to your systems and remove those no longer in use.

For additional basic practices, the Cybersecurity Best Practices published by CISA provide a solid foundation and include advice on updating software, using strong passwords, and turning on MFA.

Building a Reporting Culture

Scams thrive in silence. Many breaches continue longer than they should because employees fear blame or think their questions will slow down the business. Building a workplace where people feel safe reporting suspicious requests is critical.

Consider these strategies:

• Make it clear that reporting possible phishing or scam attempts is encouraged—never punished.
• Set up quick, easy channels (like a dedicated hotline or chat tool) for staff to ask about questionable requests.
• Celebrate “near misses” or times when employees spotted and stopped a scam, sharing lessons company-wide.

The benefits of a strong reporting culture extend beyond stopping attacks. They also help organizations spot patterns and respond quicker the next time attackers try a new trick.

Keeping Security Knowledge Fresh

Attackers change their tactics often. What worked to stop phishing last year might not work now. Companies need to keep their policies, training, and technical defenses updated based on what’s actually happening in the wild.

Best practices include:

• Review and update security protocols after each incident or near miss.
• Encourage IT and security teams to follow trusted resources for the latest trends and threat intelligence.
• Include lessons from actual breaches in training materials so employees see why policies matter.

For more on maintaining ongoing training, check the tips for effective cybersecurity training, which recommend annual refreshers and partnership with your internal communications team.

Balancing Ease of Use with Security

The drive to make business software easy can sometimes open the door to risk. For example, allowing rapid app integrations with a short code saves time—but can be exploited by scammers. Companies must balance efficiency and safety.

Steps to strike that balance:

• Review which features are essential for productivity and which can be limited for security.
• Work with software vendors to enable the most secure default settings.
• Train employees on the reasons behind any new restrictions, so they see security as a shared goal—not a burden.

Security is never one and done. By combining smarter training, better technical controls, open reporting, and a commitment to learning, companies put real walls between their data and the attackers waiting on the phone. For teams interested in how AI intersects with these security risks, see the review of AI tools for bloggers and YouTubers 2025, which touches on managing privacy and data threats in content workflows.

Conclusion

The rise of social engineering attacks highlights a clear gap between technical controls and everyday decision-making. Incidents like those at Google and Adidas show that even strong systems fail if employee vigilance is not prioritized. Attackers are bypassing complex defenses by taking advantage of routine interactions and integration shortcuts.

Staying alert to evolving threats across cloud platforms like Salesforce is now a core job function in every organization. Regular training, clear reporting channels, and ongoing review of integration processes will help reduce the risk. As attackers refine their methods, companies must commit to keeping both their technical and human defenses up to date.

Thank you for reading. Share your experiences or tips on building a security-aware team. Your input can help others stay one step ahead of the next scam.