More than 2.5 billion GMAIL users could be at risk after massive cyberattacks damage Google databases managed through Salesforce's cloud platform. The incident related to hacker group Shinyhunters has been described by security experts as one of the biggest violations in Google's history.
How does the vulnerability occur
The attack began in June 2025 and relied on social engineering strategies. According to Google's Threat Intelligence Group (GTIG), the scammers pretended to be IT employees when they persuaded the phone and convinced Google employees to approve malicious applications related to Salesforce. This enables an attacker to penetrate the contact information, business name and related instructions of the contact.
Google has confirmed that there is no stolen user password, but the stolen data has been abused. On forums like Gmail Subreddit, users have reported a surge in phishing emails, fraudulent calls and fraudulent text messages. Many of these scams mimic Google employees and tricked victims into sharing login codes or resetting passwords, opening the door to full account acquisitions.
What are the risks?
Although the vulnerability does not directly disclose the password, the stolen details provide a valuable starting point for hackers. By impersonating Google representatives, they can put pressure on the victim to hand over their login credentials or sensitive files. Some attackers also try to try brute force login, testing weak or common passwords such as “password” or “123456”.
The consequences are serious: the victims may be locked in their Gmail accounts, lose access to personal files and photos, and even reveal the linked financial accounts and business systems.
How users protect themselves
- Check if your Gmail has been exposed to the dark web. Use ID Protection's Data Leak Checker and Dark Network Monitoring to see if your details are looping and set up ongoing monitoring.
- Enhance account security by updating your Gmail password. Create a unique strong password using ID Protection's free password generator and enable MFA for phishing logins.
- Call blocking, SMS filtering and scam checking tools for stopping scammers using Trend Micro Scamcheck forward They arrive at you.
- Verify suspicious emails claimed to be from Google. The scammers may imitate Google to trick you into handing over your login code. That's why you can upload suspicious emails to ScameCHECK to confirm if they are fake!
- Google encourages users to switch to Passkeys that use fingerprints or facial recognition and are resistant to phishing. Meanwhile, run Google Security Check, which reviews account protection and highlights other safeguards you can activate.
Google's responses and records
After Google completed the analysis of the violation, it began notifying affected users on August 8, 2025. The company stressed that damaged data is “business information that is largely accessible to the public,” although experts warn that even the basic details can be weaponized in targeted scams.
This is not the first time Google has been hit by a massive incident. Past breaches include Google+ API leaks (2018), OAUTH-based Gmail phishing scam (2017-2018), and Gooligan malware campaigns (2016). Each incident teaches the same lesson: Attackers don't always need passwords to cause significant damage.
Shiny Hunter and UNC Group
The collective Shinyhunters, also tracked as UNC6040, has a history of violating the ransomware company system. Their strategies often involve spoofing employees to approve support for malicious Salesforce applications. Once inside, they used a tool similar to Salesforce's “data loader” to eliminate large amounts of data sets.
In some cases, stolen information will not be profitable immediately. Instead, a few months later, a related group called UNC6240 contacted the victims, demanding Bitcoin payments and threatening to leak stolen data. Security researchers believe the team may be ready to escalate these ransom efforts by launching a dedicated data leak site.
To download the Trend Micro Scameck or learn more, click the button below.
As always, if you find this article an interesting or useful reading, please share it with friends and family to help ensure the safety and protection of the online community. Also, consider clicking the Like button in the comments below or sharing your experience. This is a safe 2025!