The issue stems from a breach at Salesforce, where attackers linked to the ShinyHunters group (also identified as UNC6040) infiltrated systems and accessed business-related Gmail information such as contact directories, organizational details, and email metadata. Crucially, no Gmail passwords were stolen. However, the nature of the compromised data gives hackers enough context to craft highly convincing phishing and impersonation attempts.
Google confirmed that this breach has triggered a surge in targeted phishing and vishing campaigns. Attackers are already posing as Google, IT teams, or trusted service vendors to deceive users into sharing login details. Some threat actors are even placing spoofed phone calls from 650–area-code numbers, making the fraud appear to originate from Google headquarters. According to Google’s internal data, phishing and vishing together now account for roughly 37% of all successful account takeovers, highlighting how effective social engineering continues to be for cybercriminals.
With access to workplace information, attackers can send messages referencing real colleagues, departments, and recent interactions. This level of personal detail makes fraudulent communication significantly harder to recognize. Once users disclose credentials, attackers can easily break into accounts, bypass additional safeguards, and potentially remain undetected until major damage has been done.
Google’s central message is simple—never share your Gmail password with anyone. Even callers who sound legitimate or claim to represent support teams should not be trusted. Cybersecurity experts emphasize that compromising an email account can grant attackers control over nearly all linked services, since most account recovery systems rely on email-based reset links.
To reduce risk, Google continues to advocate for passkeys, which replace traditional passwords with device-based biometric authentication. Unlike passwords, passkeys cannot be phished, reused, or guessed, making them substantially more secure. Google also encourages users to enable app-based two-factor authentication instead of SMS codes, which can be intercepted or spoofed.
Google’s guidance for users focuses on regularly updating passwords, enabling 2FA or passkeys, staying alert to suspicious messages or calls, using the Security Checkup tool, and taking immediate action if unusual account activity appears. This incident demonstrates how vulnerabilities in external partners—in this case, Salesforce—can still put millions of Gmail users at risk, even when Google’s own infrastructure remains protected. With more than 2.5 billion Gmail accounts worldwide, the platform remains a prime target, and ongoing awareness remains the strongest defense.
