Google has warned Gmail users that a notorious group of hackers is targeting account holders after gaining access to a massive database.
The attacks stem from a breach of Salesforce’s cloud platform that exposed users of Google services to further intrusions.
With around 2.5 billion people using Gmail and Google Cloud, users have been advised to be on high alert to suspicious activity and to take appropriate security action to better protect themselves.
Google’s Threat Intelligence Group first warned of the attacks in June, revealing that threat actors were targeting people through social engineering attacks that involved impersonating IT support staff.
In August, Google confirmed that there had been a number of “successful intrusions” as a result of compromised passwords.
The data breach exposed information that was “basic and largely publicly available business information”, but it was being used to conduct more serious attacks.
Table of Contents
“We believe threat actors using the ‘ShinyHunters’ brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” a blog post by Google Threat Intelligence Group noted.
“These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.”
How the Breach Happened
The attack, which began in June 2025, relied on social engineering tactics. According to Google’s Threat Intelligence Group (GTIG), scammers impersonated IT staff during convincing phone calls and persuaded a Google employee to approve a malicious application connected to Salesforce. This gave attackers the ability to exfiltrate contact details, business names, and related notes.
Google has confirmed that no user passwords were stolen, but the stolen data is already being abused. On forums like the Gmail subreddit, users have reported a surge in phishing emails, spoofed phone calls, and fraudulent text messages. Many of these scams impersonate Google staff and trick victims into sharing login codes or resetting their passwords, opening the door to full account takeovers.
What’s at Stake?
While the breach didn’t expose passwords directly, the stolen details provide a valuable starting point for hackers. By impersonating Google representatives, they can pressure victims into handing over login credentials or sensitive files. Some attackers are also attempting brute force logins, testing weak or common passwords such as “password” or “123456”.
The consequences are serious: victims could be locked out of their Gmail accounts, lose access to personal documents and photos, or even expose linked financial accounts and business systems.
How Users Can Protect Themselves
- Check if your Gmail has been exposed on the dark web. Use ID Protection’s Data Leak Checker and Dark Web Monitoring to see if your details are circulating and set up ongoing monitoring.
- Strengthen account security by updating your Gmail password. Create a unique, strong password with ID Protection’s free Password Generator, and enable MFA for phishing-resistant logins.
- Use Trend Micro Scam Check’s call blocking, SMS filtering, and scam check tools to stop scammers before they reach you.
- Verify suspicious emails claiming to be from Google. Scammers may impersonate Google to trick you into handing over login codes. That’s why you can upload questionable emails to ScamCheck to confirm if they’re fake
- Google is encouraging users to switch to passkeys, which use fingerprint or face recognition and are resistant to phishing. In the meantime, run a Google Security Checkup, which reviews account protections and highlights additional safeguards you can activate.
Google’s Response and Track Record
Google began notifying affected users on August 8, 2025, after completing its analysis of the breach. The company emphasized that the compromised data was “largely publicly available business information,” though experts caution that even basic details can be weaponized in targeted scams.
This isn’t the first time Google has been hit by a large-scale incident. Past breaches include the Google+ API leaks (2018), the OAuth-based Gmail phishing scams (2017–2018), and the Gooligan malware campaign (2016). Each incident taught the same lesson: attackers don’t always need passwords to cause significant harm.
Shiny Hunters and UNC Groups
The hacking collective Shiny Hunters, also tracked as UNC6040, has a history of breaching corporate systems for extortion. Their tactics often involve impersonating IT support to trick employees into approving malicious Salesforce apps. Once inside, they use tools similar to Salesforce’s “Data Loader” to siphon out massive datasets.
In some cases, the stolen information is not monetized immediately. Instead, a related group known as UNC6240 contacts victims months later, demanding bitcoin payments and threatening to leak the stolen data. Security researchers believe the group may be preparing to escalate these extortion efforts by launching a dedicated data leak site.
To download Trend Micro ScamCheck or to learn more, click the button below.
As ever, if you’ve found this article an interesting or helpful read, please SHARE it with friends and family to help keep the online community secure and protected. Also, please consider clicking the LIKE button or sharing your experience in a comment below. Here’s to a secure 2025!