The Gmail Security Crisis: 2.5 Billion Users at Risk After ShinyHunters Breach

Breached Company

Breached Company

5 min read
The Gmail Security Crisis: 2.5 Billion Users at Risk After ShinyHunters Breach

Bottom Line: Google has confirmed that hackers breached its Salesforce database in June 2025, exposing business contact information for 2.5 billion Gmail users. While passwords weren't stolen, cybercriminals are now using this data to launch sophisticated voice phishing campaigns targeting user accounts. Gmail users must immediately enable two-factor authentication and remain vigilant against fake calls claiming to be from Google support.

The Breach That Shook the Tech World

In what cybersecurity experts are calling potentially the most dangerous data breach in history, the notorious hacking collective ShinyHunters successfully infiltrated Google's Salesforce database systems in June 2025. The process began in June 2025, when a cybercriminal group named ShinyHunters (also known as UNC6040) used sophisticated phone-based tactics to access the computers of Google's Salesforce and access the data of the users.

The scale of the breach is staggering: around 2.5 billion people worldwide who use Gmail and Google Cloud services are now at risk. This makes it one of the largest security incidents affecting a single tech platform in history.

What Happened: The Anatomy of a Voice Phishing Attack

Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group. The attack wasn't the result of a technical vulnerability, but rather a masterclass in social engineering.

According to Google's Threat Intelligence Group (GTIG), which tracks the threat cluster as 'UNC6040,' the attacks target English-speaking employees with voice phishing attacks to trick them into connecting a modified version of Salesforce's Data Loader application.

Here's how the attack unfolded:

  1. The Phone Call: During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version
  2. The Deception: Hackers impersonated IT support personnel, convincing a Google employee to grant access to internal systems
  3. The Data Theft: Google said the hackers obtained contact information and related notes for small and medium businesses from the compromised environment
  4. The Aftermath: Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off

What Data Was Stolen

While Google has been somewhat reassuring about the scope of the breach, the stolen information is still concerning. The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.

Importantly, no login credentials have been stolen, which means passwords and payment information appear to be safe. However, cybersecurity experts warn that the stolen contact information is more than enough to launch devastating secondary attacks.

The Real Danger: What's Happening Now

The true threat isn't what was stolen—it's what criminals are doing with that information. Initial reports of attempted attacks have already been seen on Reddit, which are likely related to the data leak. Users describe how alleged Google employees have contacted them by phone to inform them of a security breach in their accounts.

These follow-up attacks take two primary forms:

Voice Phishing Campaigns

In these scam attempts, attackers are trying to take over Gmail accounts by triggering alleged "account resets" and then intercepting passwords to subsequently lock out the account holders.

Victims report receiving calls from numbers using the 650 area code (associated with Silicon Valley), with callers claiming to be Google security personnel alerting them to suspicious account activity.

Dangling Bucket Attacks

Another attack method involves "dangling buckets" (i.e., outdated access addresses) to steal data from or inject malware into Google Cloud. This sophisticated technique targets businesses using Google's cloud infrastructure.

The ShinyHunters: A Growing Threat

ShinyHunters isn't new to the cybercrime scene. ShinyHunters has been around for years, responsible for a wide range of breaches, including those at PowerSchool, Oracle Cloud, the Snowflake data-theft attacks, AT&T, NitroPDF, Wattpad, MathWay, and many more.

What makes this breach particularly concerning is the group's evolution in tactics. GTIG has observed an evolution in UNC6040's TTPs. While the group initially relied on the Salesforce Dataloader application, they have since shifted to using custom applications. These custom applications are typically Python scripts that perform a similar function to the Dataloader app.

The group has also become more brazen in their operations. In a conversation with BleepingComputer yesterday, ShinyHunters claimed to have breached many Salesforce instances, with attacks still ongoing.

Industry-Wide Impact

Google's breach is just one victim in a much larger campaign. Victims included Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas Airways, Air France–KLM, Allianz Life, Cisco, Pandora, and others.

In one high-profile ransom message, the threat actors claimed the campaign had compromised data from 91 organizations worldwide, suggesting the scope of this operation extends far beyond what has been publicly disclosed.

How to Protect Yourself: Essential Security Steps

With 2.5 billion users potentially at risk, immediate action is crucial. Here's what every Gmail user should do:

Immediate Actions

  1. Enable Two-Factor Authentication: This is your first line of defense against account takeovers
  2. Run a Security Checkup: Use Google's Security Checkup tool to identify vulnerabilities
  3. Consider Advanced Protection: Google's Advanced Protection Program provides additional security barriers

Stay Vigilant

Remember this critical fact: Google does not contact users over the phone to tell them about security breaches. Consider this: there are 1.8 billion Gmail users alone. If a phone call to one user took only 20 seconds, it would take 1,141 years to make all those phone calls.

Red Flags to Watch For

  • Unexpected phone calls claiming to be from Google support
  • Requests to reset passwords or provide verification codes
  • Emails asking you to click links to "secure" your account
  • Text messages with urgent security warnings

Advanced Security Measures

  • Use Passkeys: These provide better protection than traditional passwords
  • Monitor Account Activity: Regularly check your account's login history
  • Be Skeptical: Always verify the identity of anyone claiming to be from Google support

The Broader Implications

This breach highlights a concerning trend in cybersecurity. Google published the playbook yet still lost data, which shows that layered controls crumble once an insider agrees to bypass them. Even tech giants with sophisticated security measures can fall victim to well-executed social engineering attacks.

The incident also raises questions about the security of cloud-based business tools. Google has relied on Salesforce for its Gmail services, which is why so much data was exposed when the system was compromised.

Looking Forward: The Fight Continues

Despite law enforcement efforts, including recent arrests of BreachForums administrators linked to ShinyHunters, the threat persists. This persistence indicates that ShinyHunters functions as a decentralized, extortion-as-a-service collective rather than a single coordinated team.

In addition, we believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS), suggesting that victims who don't pay ransoms may face public exposure of their stolen data.

Conclusion

The ShinyHunters breach of Google's Salesforce database represents a new chapter in cybercrime—one where sophisticated social engineering can bypass even the most advanced technical security measures. While no passwords were stolen, the contact information obtained is proving to be a powerful weapon in the hands of cybercriminals.

For the 2.5 billion Gmail users affected, vigilance is now the price of digital safety. The attack serves as a stark reminder that in our interconnected world, the human element remains both our greatest strength and our most vulnerable weakness.

The message is clear: in an age where hackers can convince trained IT professionals to hand over access to critical systems, every user must become their own first line of defense. Enable two-factor authentication, stay skeptical of unsolicited contact, and remember—Google will never call you about a security breach.

Read more