Over 2.5 billion Gmail users may be at risk after a significant cyberattack that targeted a Google database managed through Salesforce’s cloud platform. Security experts are calling it one of the largest breaches in Google’s history. The attack is linked to the hacker group ShinyHunters.
How the Breach Happened
The breach began in June 2025 using social engineering tactics. Scammers impersonated IT staff during phone calls and convinced a Google employee to approve a malicious Salesforce-connected application. This allowed attackers to access contact details, business names, and notes.
Important: No user passwords were stolen, but the stolen data is being misused in phishing emails, spoofed calls, and fraudulent texts. Scammers often impersonate Google to trick users into sharing login codes or resetting passwords, which could lead to full account takeovers.
Risks for Users
Even without password exposure, hackers can use the stolen details to:
- Impersonate Google representatives
- Access personal documents and photos
- Exploit linked financial accounts or business systems
- Attempt brute force logins using common passwords
How to Protect Yourself
- Check exposure – Use ID Protection’s Data Leak Checker and Dark Web Monitoring.
- Strengthen security – Update passwords, use unique strong passwords, and enable MFA.
- Block scams – Use Trend Micro ScamCheck for call blocking, SMS filtering, and scam detection.
- Verify emails – Upload suspicious messages to ScamCheck to confirm authenticity.
- Use passkeys – Google encourages fingerprint or face recognition login, resistant to phishing.
- Run Google Security Checkup – Review and strengthen account protections.
Google’s Response
Affected users were notified on August 8, 2025. Google stated the compromised data was mostly publicly available business information, though even basic details can aid scammers.
About ShinyHunters
ShinyHunters (also tracked as UNC6040) often impersonates IT support to infiltrate systems and extract massive datasets. Sometimes another related group, UNC6240, uses the stolen data for bitcoin extortion. Security experts warn that future attacks may escalate