Google suffers data breach in ongoing Salesforce data theft attacks
52 comments
·August 6, 2025kyrra
sugarpimpdorsey
> Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off.
That's a pretty nonchalant way to say "they totally stole stuff before we knew what was going on or could stop them".
jedc
"store contact information and related notes for small and medium businesses"
Most likely translation: it affected the Google SMB sales team's Salesforce instance
lesuorac
> The data retrieved by the threat actor was confined to basic and largely publicly available business information
Which is to say, they took public _and_ private data and the private data is something we don't wish to publicly admit so probably not good.
null
Bluescreenbuddy
Surprised Google didn't have some internally developed alternative.
progbits
From my experience with sales/PM people at google, they refuse to use internal tools and try to get Jira and other shit installed. Regardless of the tool quality, just because that's what they learned already.
This mostly didn't work out for them back in the day but in more recent times as more and more low quality middle level managers and execs get hired they manage to get approvals.
In my org a new VP demanded Jira instance within a month of joining the company and that it be used for technical project reporting.
Of course all the developers said fuck no to that so for a while some managers were trying to do two way sync between Jira and Buganizer. When I left it was mostly abandoned and full of tumbleweed...
kwanbix
Jira's raise to power is one of those things I would never understand. Such a horribly designed tool. Today is much better, yes, but it is so over-engineer and at the same time lacks so many things.
lenkite
Jira may be over-engineered, but I don't think it lacks anything. You can always get a plugin if something is missing. Our corpo Jira crawled because of a stupendous amount of plugins (close to a thousand). Once we had a Jira clean-up operation done, it became magically fast.
Agingcoder
The first time I used it around 2007 I thought it was great. It was basic, but did everything that I wanted ( I’d didn’t care about the project management that maybe didn’t even exist back then I don’t remember ).
I think that it’s been diverted from its original purpose,and is now indeed horribly complicated since it’s supposed to be all in one package.
I’ve also noted that in large companies the quality of the product for end users, as long as it’s not a massive drag on productivity or on recruitment and is not core business, is irrelevant and that other factors are more important ( costs, contracts , easy to install integrate and maintain, quality of support, breadth of use within the company etc ). This makes atlassian a natural superpower.
asah
Jira was the first tool to truly support bulk search/edit of issues, i.e. it scaled where everything else fell over with >250 issues...
0xbadcafebee
Replace Jira with Microsoft and this is the same complaint from the 90's/2000's about a business company that delivers features rather than making nerds happy. Nobody likes it, yet everybody uses it.
grumple
I think it's fundamentally easy to use once you get it set up, it's just absolutely madness in terms of configuration. But you can easily manage a backlog, sprints, update tickets, etc, plus they have a query language (JQL) that you can use to make widgets that are useful (although many of those should just be defaults). It's got a lot of flexibility in terms of required fields, forms, workflows, etc.
crinkly
PM like it because they can break it until it fits their worldview. I've worked at 3 orgs in a row where the JIRA was a complete fucking broken mess because the process in it didn't match reality but someone thought it did.
infamouscow
It's very easy to understand, developers just refuse to accept it for undermining their strongly held beliefs regarding success in the software industry.
It's true you need working software, but without sales and operations doing their part, the software will be scraped when the company folds.
Sales and operations get away with everything because they're the beating heart of any successful organization.
sciurus
I saw a similar pattern when I worked at Mozilla. We had bugzilla and jira, mediawiki and confluence, irc/matrix and slack, the list goes on...
I just checked and https://github.com/mozilla/jira-bugzilla-integration is alive and well.
lenerdenator
> From my experience with sales/PM people at google, they refuse to use internal tools and try to get Jira and other shit installed. Regardless of the tool quality, just because that's what they learned already.
That's when you're supposed to pull the smooth-talking people that are usually in those roles and ask them a very simple question:
"Do you want this tool more than you want to be employed?"
closewith
Good software salespeople are much rarer than good developers, so it's likely that conversion would be had with the other parties.
Rebelgecko
Google has been replacing a lot of internal tools with janky cookie cutter Salesforce stuff. Part of the culture change I guess.
QuercusMax
My experience was that a lot of internal tools were tremendously janky. The awful system used for filling out compliance questionnaires for audit often had 10+ second UI latency when saving text fields. The perf tools often broke right when everyone had to use them all at the same time.
I don't know if they every built a proper replacement, but for at least half a decade the Baggins Roster UI (internal backend for things like Google Groups and such) appeared to have been an abandoned summer intern project.
paxys
Custom internal tools at such companies are mostly restricted to the engineering org. Employees in sales, marketing, accounting etc. prefer to stick with the industry standard.
johannes1234321
As long as they don't aim to make it a product developing a CRM is too expensive. Especially if one wants to include country specific requirements etc. Also training users on a custom software costs money and many people working in roles requiring CRM usage rotate relatively fast.
And for making it a product: It's a quite competed market, with Salesforce, SAP, Google, Microsoft, ... and it doesn't fit to Google's "you're on your own" approach, but requires consulting and integration services, as introducing a CRM to a company involves analysing the existing processes and then adapting processes to software capabilities and adapting software to processes. (Which both often fails ...)
ok123456
Wonder if it's related to https://venturebeat.com/ai/this-ai-already-writes-20-of-sale...
null
wferrell
They had an internal CRM. It was buggy, missing key features and engineers didn’t really want to work on it.
hnthrow90348765
If I had jumped through Google's hiring hoops, I wouldn't either. Of course, this could be solved with money.
mrweasel
Oh, so I wonder if that's also how KLM lost my data.
grumple
I'm surprised, mostly because Google seems to have basically no salespeople, account reps, or customer management.
shadowgovt
I'm modestly surprised to learn Google was using Salesforce internally at all; the NIH runs deep with that company (they even have their own bugtracker because every other option just wouldn't cut it).
On the other hand, the past decade-ish has seen them grow very rapidly via acquisition, so perhaps this DB was grandfathered in via an acquired company and hadn't yet been replaced by anything internal.
(For Salesforce in particular though, I'd be willing to believe Google doesn't have an in-house alternative... People asked for a Salesforce-like in Google Workspace for years and the company had no interest. I have a hunch that most Googlers find the idea of creating a new CRM to be a profoundly boring intellectual exercise).
eitally
Fwiw, I was hired by Google in 2015 to help answer questions like "if Google were to add a CRM to the GSuite portfolio, should they build one, buy one or partner with key players". My team's charter was to create business cases with various options and run them up to chain (at the time, Prabhakar was running product for "Google for Work"). On more than one occasion we presented cases with 3 year ROIs in the $xxxM range and were shot down every time with a "too small" comment. A couple years later, Google had partnered with Copper CRM and supported extension builds into Workspace/GSuite, but had also begun a major enterprise rationalization project to consolidate a multitude of Salesforce instances into a single one, at the same time as adopting standard enterprise features & processes of Anaplan.
This led to consolidation of a number of back office IT teams that ultimately ended up with far more enforcement clout than they'd historically had. By the time Ruth changed roles, most of the "normal" business processes had been fairly standardized. Fwiw, the Cloud instance of SFDC, which is by far the most complex & customized, has been in full use for almost five years now and is the canonical source of truth for sales data.
coredog64
I'm surprised Google could get away with only a single SFDC instance. AWS has multiple SFDC installations and is forever having to deal with "Oh, yeah, that data is in this other SFDC installation"
shadowgovt
I wonder if the Cloud SFDC is the one that was compromised. It's a little telling Google didn't go into details about which arm of the octopus got attacked (or if they did, I didn't see that reporting yet... Unless Cloud is the implied victim because the description of the attack showed up on the Cloud blog).
I feel you about the ROI. In hindsight, it's a little funny to me that Salesforce is doing revenue numbers a little under half of Google Cloud; you'd think that would be large enough value to get Google interested in biting into that pie.
loeg
> they even have their own bugtracker because every other option just wouldn't cut it
Of all the things to NIH, this is one of the most defensible -- lots of bugtracker options just aren't very good.
cjpearson
I've generally not had an interest in working for one of the big tech companies, but the opportunity to escape JIRA is tempting.
null
dilyevsky
iirc google cloud’s entire support ticket system is built on top of sf - it went down when saleforce had an outage a few years back
bpodgursky
Salespeople are VERY familiar with Salesforce and are not very technical. Probably significantly increases onboarding and training time to have a weird new tool.
Easy to hire experienced salespeople and have them hit the ground fast if they use standard Salesforce conversion flows.
bombcar
It still amazes me that Salesforce, which is good, mind you, is still basically just Microsoft Access as a Service, and yet here we are.
mc32
Google uses lots of non-Google solutions for many things —just imagine all the facilities stuff. But so does any software company, including Microsoft and Amazon.
That said, you can hire people for any purpose (specific roles) and you can build what you want. It’s more a question of whether it’s worth it to build such solutions, after all you have a main line of business to tend to. That’s to say even Google and Apple have so called “boring “ roles and there are lots of people who don’t see it that way and want to work doing those things.
progbits
Actually lot of the facilities stuff is inhouse too - floor plans (not just the seat map but actual floor drawings that include physical infrastructure); the ticketing system for maintenance; work hour tracking for contractors; probably lot more that I'm forgetting.
But yes your point stands, sometimes it just makes more sense to use an existing product.
eitally
The floor plan tool isn't really in house. It's just an extension of the industry standard real estate management platform they use Tririga (https://www.ibm.com/products/tririga) ... in the same way that go/teams in just an custom visualization of a standard employee directory.
You might be surprised how much of what runs Google (Anaplan, for example, for XWS) is fairly industry standard.
shadowgovt
Given the low expected profit margin, a CRM solution at Google would likely come from a 20% project (or rather, the equivalent thing these days since last I checked 20% is basically dead as a formal concept). Nobody expected GMail to blow up the way it did, for example; it happened because some Googlers decided they could probably do a web-client-fronted mail client with a Google search engine attached to it and if they did it'd be really cool.
But even with their, what, 180,000 people these days, I think it's entirely possible nobody is as excited about CRM as Paul Buchheit was about email services.
null
GHanku
[dead]
From the source: https://cloud.google.com/blog/topics/threat-intelligence/voi...
> The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off. The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.