Google has confirmed that a massive security breach has exposed data linked to 2.5 billion Gmail accounts, following a campaign carried out by the notorious hacker group ShinyHunters. The incident, which the company disclosed in an update earlier this month, stemmed from a compromise of Google’s Salesforce database. According to Google, attackers managed to access the system after tricking one of its staff members into handing over login credentials, highlighting the group’s reliance on targeted social engineering tactics.
The stolen information was described as “basic and largely publicly available business information, such as business names and contact details.” However, the scale of exposure and the methods employed by the attackers have raised significant concern, particularly as the breach quickly escalated into a wave of fraudulent communications aimed at victims.
Reports in the United Kingdom revealed that affected users were being bombarded with phone calls, emails, and text messages, all crafted to appear as if they came directly from Google. Attackers posing as company representatives urged users to reset passwords or provide login codes. This wave of phone-based fraud, known as vishing, combined with phishing emails and SMS-based smishing campaigns, reflects ShinyHunters’ preference for exploiting human trust rather than technical vulnerabilities.
Google said that notifications were sent to all affected accounts by August 8, urging customers to remain cautious. Meanwhile, cybersecurity experts have warned of an unprecedented rise in deception attempts since the incident. “There’s a lot of vishing – people calling, pretending to be from Google, text messages coming through in order to get people to log in, or get codes to log in,” cybersecurity expert James Knight told the press. He further cautioned users that, “If you do get a text message or a voice message from Google, don’t trust it’s from Google. Nine times out of ten, it’s likely not.”
The tactics used by ShinyHunters align with a pattern of behavior long observed by security professionals. In a blog post originally published in June, later updated with details of the breach, Google described how the group – also tracked as UNC6040 – has repeatedly succeeded in breaking into corporate networks by impersonating IT support staff over the phone. According to the post, “UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements. This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials.”
ShinyHunters is already known for a series of high-profile breaches. In 2024, the group stole 1.3 terabytes of customer data from Ticketmaster, and in 2023, it compromised the personal information of 200,000 Pizza Hut customers in Australia. Its reputation for deception-driven intrusions has drawn attention from global law enforcement, with the FBI last year labeling the group’s actions as “remarkably devious.”
This latest breach adds to that reputation, as the group continues to refine its social engineering playbook on a massive scale. While financial details and passwords were not included in the stolen Salesforce data, the ability to pair exposed contact information with targeted scams creates new risks for billions of Gmail users worldwide.
