More than 2.5 billion Gmail users may be exposed to new scams after hackers broke into a Google database hosted on Salesforce’s cloud system. Security experts say the attack, carried out by the hacking group ShinyHunters, could be one of the biggest breaches in Google’s history.
How the Hack Happened
The breach began in June 2025 and relied on social engineering. According to Google’s Threat Intelligence Group, scammers pretended to be IT staff and called a Google employee directly. They convinced the worker to approve a malicious Salesforce app, which then gave hackers access to contact details, business names, and notes stored in the database.
Google stressed that no passwords were stolen. Still, the stolen information is already being used in scams. Users on Reddit’s Gmail forum have reported a spike in phishing emails, fake calls, and fraudulent text messages. Many of these scams pretend to come from Google support and trick victims into sharing login codes or resetting passwords—potentially handing attackers full control of accounts.
Why It Matters
While the breach didn’t include passwords, the stolen details give criminals a way in. By impersonating Google employees, attackers can pressure people into revealing login credentials or sensitive files. Some are also testing common weak passwords like “123456” in brute-force attempts.
The risks are serious: users could lose access to personal emails, photos, and documents, or even expose linked bank accounts and business systems.
How to Stay Safe
- Check if your data is exposed: Use dark web monitoring tools like ID Protection’s Data Leak Checker.
- Update your password: Create a strong, unique password and turn on multi-factor authentication.
- Block scams early: Services like ScamCheck can filter suspicious calls, texts, and emails.
- Verify Google messages: Never trust an unexpected email asking for login codes. Upload questionable messages to ScamCheck for confirmation.
- Enable passkeys: Google recommends switching to passkeys, which use fingerprints or face scans and can’t be phished. Running a Google Security Checkup is also advised.
Google’s Response
Google began notifying affected users on August 8, 2025. The company said the stolen data was “mostly public business information,” though security researchers warn that even basic details can be weaponized for scams.
This is far from Google’s first major security incident. Past breaches include the Google+ API leaks in 2018, Gmail phishing campaigns in 2017 and 2018, and the Gooligan malware attack in 2016. Each case shows that attackers don’t always need passwords to cause damage.
Who’s Behind It
ShinyHunters, also known as UNC6040, has a track record of targeting corporate systems for extortion. Their usual method is impersonating IT staff to push malicious Salesforce apps, then using tools like “Data Loader” to steal huge amounts of data.
Another related group, UNC6240, sometimes contacts victims months later, demanding bitcoin payments in exchange for not leaking the stolen information. Experts believe they may be preparing to launch a dedicated site for publishing stolen data if victims don’t pay.
