Google has confirmed that hackers stole customer data by breaching one of its Salesforce databases, targeting information linked to small and medium-sized businesses.

In a blog post, the Google Threat Intelligence Group said the breach was carried out by the hacking group ShinyHunters, also known as UNC6040, which has a track record of hitting large companies’ cloud databases. Google stated the stolen data was “confined to basic and largely publicly available business information, such as business names and contact details.”

The compromised Salesforce instance was used for communicating with prospective Google Ads customers. According to a breach notice shared with BleepingComputer, affected data includes “business names, phone numbers, and related notes” but no payment information or Google Ads account data.

ShinyHunters told BleepingComputer that the stolen dataset contains about 2.55 million records, though it’s unclear how many are duplicates. The group also claimed ties to Scattered Spider, saying, “They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances.”

Security experts say the attackers used social engineering to trick employees into connecting a malicious Salesforce Data Loader OAuth app to Google’s environment, allowing them to download the database. In some cases, attackers used new Python-based tools instead of the standard Salesforce Data Loader to speed up data theft.

Google began notifying victims on August 8, confirming “emails are actively being sent to those affected by this incident” and later adding it had “completed its email notifications.” William Wright, CEO of Closed Door Security, noted this could mean “the criminals could have held on to the data, unknown to victims, for almost two months.”

This breach is part of a larger wave of attacks against Salesforce customers, following incidents at Cisco, Qantas, and Pandora. ShinyHunters has already issued an extortion demand to Google, though the group later dismissed it as a joke.