A massive Google data breach has potentially exposed 2.5 billion Gmail users to phishing scams and fraud, making it one of the largest security incidents in Google’s history. The breach was linked to the hacker group ShinyHunters and involved Google’s database hosted on Salesforce’s cloud platform.
How the Breach Happened
The attack began in June 2025 and exploited social engineering. Hackers impersonated IT staff during phone calls, convincing a Google employee to approve a malicious Salesforce app, granting access to business names, contacts, and related notes.
Important: No passwords were stolen. However, attackers are already using stolen data to send phishing emails, spoofed calls, and fraudulent texts, tricking users into revealing login credentials.
Risks for Users
Even without stolen passwords, attackers can:
- Impersonate Google staff to steal credentials or sensitive files.
- Use brute-force attacks on weak passwords like “123456” or “password.”
- Lock victims out of Gmail accounts, exposing emails, documents, photos, and linked financial systems.
How to Protect Yourself
- Check for exposed data: Use tools like ID Protection’s Data Leak Checker and Dark Web Monitoring.
- Strengthen Gmail security: Update your password, use a strong, unique one, and enable MFA (multi-factor authentication).
- Filter scam communications: Tools like Trend Micro ScamCheck block calls, SMS, and emails from scammers.
- Verify suspicious emails: Upload emails claiming to be from Google to ScamCheck to confirm legitimacy.
- Switch to passkeys: Google recommends using fingerprint or face recognition for phishing-resistant logins.
- Run a Google Security Checkup: Review protections and activate additional safeguards.
Google’s Response
Google began notifying affected users on August 8, 2025, confirming that most of the compromised data was publicly available business information. Despite this, experts warn that even basic details can be exploited in targeted scams.
Previous incidents include:
- Google+ API leaks (2018)
- Gmail OAuth phishing (2017–2018)
- Gooligan malware campaign (2016)
About ShinyHunters
ShinyHunters (also known as UNC6040) specializes in corporate data breaches for extortion. They often use malicious Salesforce apps to extract massive datasets. Some data is monetized immediately, while related groups like UNC6240 contact victims months later for bitcoin ransom demands. Security researchers warn that a dedicated data leak site may be launched soon.
Takeaway: Even if your Gmail password is safe, this breach highlights the importance of proactive security measures. Protect your accounts, verify communications, and remain vigilant against phishing attempts.
