Google has confirmed a massive security breach that exposed data tied to 2.5 billion Gmail users, after hackers infiltrated the company’s Salesforce database in a sophisticated social engineering campaign. The attack, carried out by the cybercriminal syndicate ShinyHunters, highlights how even the most advanced technology companies remain vulnerable when employees are tricked into granting access.
How the Attack Happened
According to Google’s Threat Intelligence Group, the breach began in June 2025 when hackers phoned employees while impersonating IT support staff. During these calls, workers were directed to Salesforce’s connected app setup page and convinced to authorize a malicious application disguised as Salesforce’s Data Loader.
This gave attackers the ability to query and extract sensitive customer records. Though Google cut off access quickly, the hackers managed to collect data including contact information, business names, and related notes, mostly for small and medium-sized enterprises.
Google stressed that no passwords were stolen. Still, cybersecurity analysts warned that even limited business data can be weaponized to craft highly convincing phishing and voice-based scams.
Phishing Surge
Those warnings are already materializing. Since early August, Gmail users worldwide have reported a spike in phishing and vishing (voice phishing) attacks, many originating from phone numbers using Google’s California 650 area code.
Victims describe receiving urgent calls from fraudsters posing as Google employees, claiming accounts had been compromised. The scammers then attempt to walk targets through a fake “security reset,” ultimately stealing their credentials.
Cybersecurity researcher James Knight told reporters: “If you get a text or voice message claiming to be from Google, assume it’s fake until proven otherwise. Nine times out of ten, it’s not really them.”
Google itself has admitted that phishing and vishing now account for 37% of successful account takeovers across its services, a figure expected to rise in the wake of this breach.
A Wider Campaign
The Gmail incident is part of a much larger operation. ShinyHunters has been linked to breaches at Salesforce databases tied to major global brands including Qantas, Allianz Life, Louis Vuitton, Adidas, and Chanel. The group’s specialty is exploiting the trust employees place in IT support, bypassing technical safeguards through voice manipulation.
Adding to the concern, a related extortion ring tracked as UNC6240 has emerged, threatening victims with exposure unless they pay bitcoin ransoms. Security experts note overlaps between ShinyHunters and another high-profile collective, Scattered Spider, suggesting a deepening collaboration among cybercriminal groups.
Staying Protected
Google is urging all Gmail users to strengthen account protections immediately. Recommended steps include:
- Updating passwords.
- Enabling multi-factor authentication (MFA).
- Transitioning to passkeys, a newer form of authentication that removes reliance on traditional passwords.
- Completing a Google Security Checkup to identify account vulnerabilities.
Most importantly, Google warns that it never makes unsolicited calls to users about account security. Any such calls should be treated as fraudulent.
The Human Factor
While technology giants invest billions in cybersecurity, the incident underscores a hard truth: people remain the weakest link. By persuading just one employee to approve a malicious app, hackers gained access to data affecting billions of users.
As one security analyst put it: “Cybercriminals don’t always need to hack the tech—they hack the humans. And that’s proving far more effective.”
With billions of Gmail accounts now in the crosshairs of scammers, the fallout from this breach could linger for months, serving as a sobering reminder of the growing sophistication of social engineering in the digital age.
