Google Data Breach Exposes 2.5 Billion Gmail Users to New Scam Risks
A devastating cyberattack has left over 2.5 billion Gmail users vulnerable to new scam risks, following the compromise of a Google database managed through Salesforce's cloud platform. The incident, linked to the notorious hacker group ShinyHunters, is being described by security experts as one of the largest breaches in Google's history.
The attack, which began in June 2025, relied on sophisticated social engineering tactics. According to Google's Threat Intelligence Group (GTIG), scammers impersonated IT staff during convincing phone calls and persuaded a Google employee to approve a malicious application connected to Salesforce. This gave attackers the ability to exfiltrate sensitive contact details, business names, and related notes.
The Attackers' Methodology
The breach is believed to have been carried out using social engineering tactics, where scammers impersonated IT staff and convinced a Google employee to approve a malicious application connected to Salesforce. This gave attackers the ability to exfiltrate sensitive data, which is now being abused by scammers.
Google has confirmed that no user passwords were stolen in this breach, but the stolen data is already being used to create convincing phishing emails, spoofed phone calls, and fraudulent text messages. These scams often impersonate Google staff, tricking victims into sharing login codes or resetting their passwords, which can lead to full account takeovers.
The Consequences
The consequences of this breach are serious: victims could be locked out of their Gmail accounts, lose access to personal documents and photos, or even expose linked financial accounts and business systems. The stolen data provides a valuable starting point for hackers, allowing them to impersonate Google representatives and pressure victims into handing over login credentials or sensitive files.
Some attackers are also attempting brute force logins, testing weak or common passwords such as "password" or "123456". This highlights the importance of using strong and unique passwords to protect against these types of attacks.
Google's Response
Google began notifying affected users on August 8, 2025, after completing its analysis of the breach. The company emphasized that the compromised data was "largely publicly available business information," though experts caution that even basic details can be weaponized in targeted scams.
This is not the first time Google has been hit by a large-scale incident. Past breaches include the Google+ API leaks (2018), the OAuth-based Gmail phishing scams (2017–2018), and the Gooligan malware campaign (2016). Each incident taught the same lesson: attackers don't always need passwords to cause significant harm.
The Hackers' History
The hacking collective ShinyHunters, also tracked as UNC6040, has a history of breaching corporate systems for extortion. Their tactics often involve impersonating IT support to trick employees into approving malicious Salesforce apps. Once inside, they use tools similar to Salesforce's "Data Loader" to siphon out massive datasets.
In some cases, the stolen information is not monetized immediately. Instead, a related group known as UNC6240 contacts victims months later, demanding bitcoin payments and threatening to leak the stolen data. Security researchers believe the group may be preparing to escalate these extortion efforts by launching a dedicated data leak site.
Protecting Yourself
To protect yourself against this type of attack, it is essential to stay vigilant and take proactive steps to secure your online accounts. Here are some tips:
* Use strong and unique passwords for all accounts. * Enable two-factor authentication wherever possible. * Keep your operating system and software up to date with the latest security patches. * Be cautious when receiving unsolicited emails or phone calls, especially those claiming to be from Google.
By following these tips and staying informed about the latest cybersecurity threats, you can help keep yourself and others safe online.