What steps should a business take to contain and investigate a potential breach?

Immediately isolate affected systems and disable suspicious integrations; engage incident-response professionals; determine source, scope, and data impacted; notify leadership, legal, and security teams; comply with applicable notification laws; document findings; and implement remediation and training.

What defenses might companies raise in a data-breach lawsuit?

Common defenses include asserting reasonable security measures, prompt detection and remediation, lack of causation, or that a proposed class does not meet certification requirements. Experienced counsel can evaluate and respond to these defenses.

If You’ve Ever Run Google Ads, Your Business Data May Be at Risk in the Google Salesforce CRM Data Breach

Q: How do I know if my business was affected by the Google–Salesforce CRM breach?

If your company has interacted with Google advertising or cloud services—especially via sales outreach, lead forms, or Google Ads—you could be affected. Watch for phishing emails, unrecognized Salesforce connections, or unusual changes to data or users.

Q: How can a business determine if its data is at risk in this breach?

Review any communication from Google or Salesforce. Check your Salesforce org for unusual activity (unexpected logins, mass downloads, or modified records). Audit connected apps and integrations, since attackers reportedly abused third-party app connections.

Q: What information was stolen in this breach?

Google reported that data was limited to basic and largely publicly available business information (e.g., business names and contact details). However, related activity has targeted broader customer data at some organizations. Even "basic" data can enable impersonation and phishing.

Q: Why haven’t I received a notice from Google?

Many data breach notification laws emphasize consumer protections over B2B data. Your business might not get a formal notice even if affected. Consider consulting counsel to assess risk and obligations.

Q: Are companies using Salesforce legally liable if their data is compromised in this type of attack?

Possibly. Even if Salesforce’s platform wasn’t breached, businesses may face liability if they failed to implement reasonable security, safeguard CRM data, or timely notify affected parties where required. Speak with a data-breach attorney about your specific facts and jurisdiction.

Q: What are the legal risks or liabilities for my business?

Risks can include statutory or regulatory obligations to notify, contractual exposure, investigations, litigation (including class actions), and costs to mitigate harm. Liability often turns on your security controls, incident response, and notice compliance.

Q: What are the potential damages or compensation available to businesses impacted by a data breach?

Recoverable damages may include reimbursement for identity-theft losses, out-of-pocket mitigation costs, time spent responding, and expenses to improve security or provide monitoring. Available remedies depend on claims asserted and applicable law.

Q: How can a data-breach litigation attorney help a business in this situation?

Counsel can clarify legal obligations, preserve evidence, guide notifications, pursue damages, defend or prosecute claims, and advise on risk management and compliance improvements.

Q: What should I do if I suspect my business data was compromised?

1) Conduct an internal audit of Salesforce users, logins, and connected apps; 2) Engage a cybersecurity expert to identify and contain exposure; 3) Consult legal counsel to evaluate notification duties and potential claims; 4) Preserve logs and evidence; 5) Monitor for phishing, impersonation, and extortion attempts.

By Andreas Christou
Associate Attorney

Woods Lonergan PLLC is a nationally recognized complex commercial and civil litigation firm that represents consumers and businesses in high-stakes data breach class actions against major corporations. We’ve filed lawsuits in numerous 2025 breach cases—including against PowerSchool, Aflac Insurance, Johnson Controls, and others—and have successfully recovered millions on behalf of affected plaintiffs.

In June 2025, Google confirmed that it was the latest victim in a string of targeted attacks involving Salesforce CRM data theft. The breach exposed internal CRM records used by Google to manage communications with small businesses, startups, and mid-size companies.

Call Our Data Breach Lawyers 24/7 at (332) 378-0376 or email us at loganlowe@woodslaw.com for a free and confidential consultation. Woods Lonergan’s expert data breach lawyers are skilled at securing the affected business owners the compensation they deserve.

How Does the Google Salesforce CRM Data Breach Affect Google and YouTube Ad Users?

If your business has ever interacted with Google in an advertising, sales, or support capacity, your company’s contact details, internal notes, and engagement history may have been stored in Google’s internal Salesforce CRM system—and may have been exposed during this breach.

This includes businesses that:

Ran Google Ads (formerly AdWords)
Managed campaigns on YouTube, the Display Network, or Google Marketing Platform
Received outreach from Google sales or marketing representatives
Filled out lead forms for Google Cloud, Workspace, or Ads-related services

In a brief update, Google confirmed that its CRM data was accessed during a limited window in June, before access was terminated. The breach was part of a sophisticated campaign by a threat group known as ShinyHunters, who used voice phishing (“vishing”) to gain login credentials from targeted employees.

Why This Data Matters—Even If It’s Not Financial

While the stolen CRM data breach may not include Social Security numbers or banking information, it may contain your sensitive, proprietary business information—the kind that can be exploited in targeted cyberattacks.

According to Google’s statement, the accessed data included:

Company names and contact details
Internal relationship tracking notes
Sales rep communications and account histories

Cybercriminals can use this information to:

Launch targeted phishing campaigns
Impersonate vendors, sales reps, or executives
Deliver malware and ransomware disguised as legitimate business communications

In fact, BleepingComputer reports that one affected business has already paid 4 Bitcoins (approx. $400,000) to avoid public data exposure.

You May Never Receive a Formal Notice of the Google Salesforce CRM Data Breach—Here’s Why

Most federal and state data breach regulations are designed to protect individual consumers, not businesses. This means if your company’s information was compromised in this breach, you may not receive any formal notification.

That’s why it’s critical to act quickly if:

You’ve received unusual vendor inquiries or suspicious emails
You rely on Google for advertising or customer outreach
You’ve previously interacted with Google via sales or lead channels

Who’s Behind the Google Salesforce CRM Data Breach?

The threat actor identified in these attacks, ShinyHunters, has a long track record of high-profile data breaches—including campaigns targeting PowerSchool, Oracle Cloud, AT&T, Mathway, and 23andMe. They are now focused on breaching Salesforce CRM “instances” (distinct CRM environments used by companies like Google), using voice phishing techniques to obtain employee login credentials.

Once inside, the group steals customer records and uses them to extort companies—sometimes threatening to leak the data on hacking forums. In other cases, they bypass ransom demands altogether and release the stolen data to maximize damage.

Reuters reporter Raphael Satter noted in his June 4, 2025 article:

“Hackers abused a modified Salesforce application to steal data and extort companies, a tactic increasingly used by the threat group ShinyHunters.” The article further cited a Google spokesperson: “We took swift action to remove the malicious app and cut off access as soon as we became aware of the activity.”

Why Is This Breach So Dangerous for Small, Mid-Size, and Startup Businesses?

While this breach may not involve traditional consumer data such as Social Security numbers or banking credentials, it poses an equally serious — and in many cases more immediate — cybersecurity threat to your company.

The hackers behind the breach, a well-known cybercriminal group called ShinyHunters, are using sophisticated voice phishing (vishing) and social engineering tactics to breach Salesforce CRM platforms. In Google’s case, they gained access to one of the company’s internal Salesforce instances and quietly exfiltrated data before access was detected and shut down. Google confirmed that the stolen CRM data was tied to small and medium businesses and contained contact information and internal sales notes.

This is not just theoretical risk. According to BleepingComputer’s Ax Sharma, one of the small businesses who were victims of this ongoing cyber attack campaign paid 4 Bitcoin (approximately $400,000) to prevent their stolen data from being publicly leaked. Sharma noted: “Some victims have quietly complied to prevent sensitive B2B data from leaking into the wild.” Other companies are currently facing similar extortion demands — and many more may have no idea their data is now in criminal hands.

Because this data includes proprietary business information, it becomes a roadmap for cybercriminals:

Names of decision-makers and employee roles
Internal sales notes and campaign spend
Business workflows and targeting strategies

This enables highly convincing phishing emails, impersonation attacks, and even follow-on ransomware incidents.

Startups, mid-sized companies, and smaller enterprise organizations are particularly vulnerable:

They often lack dedicated cybersecurity teams
They may not monitor internal systems for unauthorized access
They may never receive breach notification due to regulatory loopholes

What makes this breach especially dangerous is that most federal and state data breach laws do not require companies like Google to notify affected businesses. That means your company’s information could be circulating among hackers right now, without your knowledge — until it’s too late.

Legal Claims Woods Lonergan Is Investigating in the Google Salesforce CRM Data Breach

Negligence / Negligence per se — failure to implement and maintain reasonable cybersecurity controls (including segmentation, internal access restrictions, and vishing protections) suitable for sensitive B2B and advertising records.
Breach of Implied Contract — businesses entrusted sensitive marketing, sales, and contact data to Google with the understanding it would be securely managed and safeguarded.
Breach of Fiduciary Duty / Confidentiality — potential failure to protect confidential client onboarding information and sales communications.
Unjust Enrichment — Google benefited from maintaining contact records and campaign data without providing reasonable protections against known CRM attack vectors.
Violations of State Business Data Protection Laws — including the New York SHIELD Act and similar laws in states where businesses are incorporated or operate (failure to notify; failure to safeguard proprietary commercial information).
Federal Trade Commission Act (Section 5) — where applicable, failure to provide reasonable data security for businesses may constitute an unfair business practice.

Contact Our Data Breach Litigation Team

If your business has ever used Google Ads, YouTube campaigns, or interacted with a Google sales representative, your proprietary business data may have been exposed in the Google Salesforce CRM data breach. Even if you have not received formal notice from Google, your sensitive company information could already be in the hands of cybercriminals. Contact us for a free and confidential consultation. Woods Lonergan’s expert data breach lawyers are investigating a class action data breach lawsuit and are skilled at securing affected businesses the justice they deserve. Call us 24/7 at (332) 378-0376 or email loganlowe@woodslaw.com — we take no fees unless we win.

About Woods Lonergan PLLC

Woods Lonergan PLLC is a nationally recognized plaintiff firm specializing in complex civil litigation, including class action, data privacy, and cybersecurity matters. We have a proven track record of successfully holding corporations accountable for data breaches and protecting the rights of consumers. Our firm is currently representing plaintiffs in open litigation for numerous significant data breaches in 2025, including cases involving Powerschool, Ahold Delhaize, Aflac Insurance, Johnson Controls, Community Health Center, DISA Global Solutions, and New Haven Health. Notably, in 2025, Woods Lonergan has settled on behalf of plaintiffs in data breach litigation, including the 23andMe Data Breach Lawsuit for $30 Million Dollars in the Northern District of California. Additionally, in June 2025 we successfully reached a Multi-Million Dollar Settlement in the Sunflower Medical Group data breach case on behalf of our clients in the U.S. District Court for the District of Kansas.

Woods Lonergan has a proven track record of successfully holding large corporations accountable for failing to protect highly sensitive consumer data.

FAQs in the Google Salesforce CRM Data Breach for Business Owners.

How do I know if my business was affected by the Google Salesforce CRM breach?

If your company has ever interacted with Google’s advertising or cloud services—especially via sales outreach, lead forms, or Google Ads—you could be affected. Monitor for suspicious activity like phishing emails, unrecognized Salesforce connections, or unusual changes to your data.

What information was stolen in this breach?

According to Google, the breach involved “basic and largely publicly available business information.” However, this includes:

Company contact details
Sales history
Relationship tracking notes
Internal communication logs These can still be used for impersonation or phishing.

Why haven’t I received a notice from Google?

Federal and state data breach laws generally focus on consumer protections—not B2B data. If your business was affected, you may not receive any formal notice. That’s why legal guidance is crucial.

What are the legal risks or liabilities for my business?

Even if Salesforce itself wasn’t breached, companies using Salesforce may still be legally liable if they didn’t properly protect their CRM data or if they fail to notify affected stakeholders.

What should I do if I suspect my business data was compromised?

Conduct an internal audit of Salesforce connections and user activity
Hire a cybersecurity expert to identify and contain exposure
Consult legal counsel to evaluate obligations and potential claims
Monitor for extortion attempts, phishing, or impersonation emails

How can a business determine if its data is at risk in this breach?

Review communication from Google and Salesforce. If a business was impacted, it might have received a direct notification from Google.

Check for unusual activity in the Salesforce instance. Although the attack targeted Google’s Salesforce instance, the broader campaign by ShinyHunters (UNC6040/UNC6240) targets Salesforce users through vishing scams. Businesses should monitor their Salesforce data for unauthorized access or changes, such as unexpected logins, downloads, or modifications to records.

Audit connected applications. Attackers exploited Salesforce’s functionality to connect third-party apps, allowing access to data.

What data was involved in this particular breach affecting Google?

Google said the data retrieved was “confined to basic and largely publicly available business information,” such as business names and contact details.

However, the ShinyHunters campaign is known for stealing various types of customer data, according to StrongDM.

What steps should a business take if it suspects its data is at risk or has been compromised?

Contain the breach. Immediately disconnect affected systems and close potential entry points.
Identify the source and scope. Engage cybersecurity professionals to investigate the breach and determine its cause and the data exposed.
Notify internal stakeholders and legal counsel. Inform leadership, the legal team, and IT/security personnel about the potential incident.
Comply with notification laws. Understand legal obligations regarding data breach notification laws in the relevant jurisdiction. This may include notifying affected individuals and relevant authorities like the FTC or state attorneys general.
Preserve evidence. Document all findings and preserve logs, communications, and other relevant evidence for potential legal proceedings or regulatory inquiries.
Review and update security measures. Implement risk mitigation strategies, including enhanced cybersecurity training, regular security audits, and revisions to data protection policies and procedures.

Are companies using Salesforce legally liable if their data is compromised in this type of attack?

Although Salesforce states its platform was not compromised and the issue is due to social engineering, the data owner (the business) may still face liability for losses if the breach was due to a failure to implement adequate security measures or timely notify affected individuals under state data breach notification statutes. Consult a data breach attorney to assess the specific legal position and potential liabilities.

What are the potential damages or compensation available to businesses impacted by a data breach?

Potential damages can include reimbursement of identity theft losses, out-of-pocket costs for protective measures, and compensation for time spent responding to the breach. Businesses may also seek compensation for the costs of improving data security systems and providing credit monitoring or identity theft insurance to affected individuals. According to Berger Montague, successful lawsuits often aim to secure benefits like reimbursement for identity theft losses, out-of-pocket costs for protective measures, and improvements to the company’s data security systems.

How can a data breach litigation attorney help a business in this situation?

Guidance on legal obligations
Pursue damages
Represent in litigation
Advise on risk management

What are some of the defenses companies might raise in a data breach lawsuit?

Companies might argue they had an adequate information system in place to defend against breaches, detected the breach early and took action, or that the plaintiff’s proposed class in a class-action lawsuit doesn’t meet the requirements. Experienced legal counsel is important to address these potential defenses and build the strongest possible case.

Sources

About the Author

Andreas E. Christou is an Associate Attorney with Woods Lonergan PLLC, having joined in 2020. Andreas received his J.D. from St. John’s University School of Law and his B.A. in Political Science from Pace University. Previously, Andreas worked at a Queens-based law firm where he litigated in state and federal courts and primarily handled consumer bankruptcy, real estate litigation and commercial litigation matters. At Woods Lonergan, Andreas handles a variety of state and federal matters including bankruptcy, real estate litigation, specifically focused on representing the boards of condominium and cooperative communities in New York City, FLSA actions, personal injury, and general commercial and corporate litigation. If you have any questions regarding this blog, you can book a consultation with Andreas here.