Google Data Breach Shows Why SMBs Can’t Ignore CRM Security

constructure technologies Google Data Breach Shows Why SMBs Can’t Ignore CRM Security

In June 2025, Google confirmed that its corporate Salesforce database was breached by the cybercrime group ShinyHunters. The target? A CRM system storing contact information for small and mid-sized businesses—specifically prospective Google Ads customers (Axios).

While Google says the exposed data was limited to business names, phone numbers, and internal notes, it’s a reminder that even “basic” information can be dangerous in the wrong hands.

What Happened

Google reports that ShinyHunters used a social engineering attack—voice phishing, or “vishing”—to trick an employee into installing a malicious connected app disguised as Salesforce’s Data Loader tool.

Once installed, the app gave attackers access to the Salesforce instance. From there, they could see:

  • Company names
  • Business phone numbers
  • Notes from Google’s internal sales team

No Google product systems or Ads accounts were breached, but the CRM contact database was compromised. Google has since removed the malicious app, notified affected businesses, and implemented additional safeguards.

Why This Matters to Small Businesses

Your data might be in someone else’s system.

Even if you never gave Google permission to store sensitive details, a simple lead form or sales conversation can land your business in a large company’s CRM. If that company gets breached, your data could be exposed.

“Basic” information fuels targeted attacks.

A cybercriminal with your company name, phone number, and context from sales notes can craft convincing phishing emails or impersonate your staff.

Social engineering bypasses tech defenses.

This wasn’t a brute-force hack—it was a person tricking another person. That’s why every business, regardless of size, needs a human-focused security plan.

Lessons for SMBs Using CRM Systems

  1. Audit your CRM access: Only give staff the permissions they need. Remove unused accounts promptly.
  2. Enable multi-factor authentication (MFA): Require MFA for every CRM login, whether on-site or remote.
  3. Verify app integrations: Never install a connected app unless it’s verified and approved by your security lead.
  4. Train your team to spot vishing: Social engineering can come by phone, video call, or email. Teach employees to confirm unusual requests before acting.
  5. Monitor for unusual outreach: If clients or partners report suspicious calls or emails, investigate quickly.

Final Takeaway

This breach shows that even tech giants like Google can fall victim to human error. For SMBs, the lesson is clear: protecting your own CRM is only half the battle—you also need to be aware of where else your business data might live and ensure those partners follow strong security practices.

Don’t wait for a breach to find your weaknesses. Our cybersecurity team offers CRM security reviews, penetration testing, and round-the-clock monitoring to keep your data safe. Call Constructure Technologies at 631.396.7777 or email info@constructuretech.com today.