Google has issued a warning to its 2.5 billion Gmail users to enhance their account security following a breach connected to Salesforce, which has led to a surge in phishing and impersonation attacks. The breach, attributed to the hacker group ShinyHunters, exposed business-related Gmail data, including contact lists, company names, and email metadata. Although personal Gmail credentials were not stolen, the compromised information has allowed attackers to create convincing phishing emails and phone scams, sometimes even mimicking Google’s official communication lines.
Phishing and voice phishing now account for 37% of successful account takeovers across Google platforms. Attackers are using details from the breach to impersonate IT departments, vendors, or Google itself, tricking users into revealing login information.
The breach was traced back to a Salesforce database used internally by Google to manage potential advertisers. A limited set of business contact details and OAuth tokens linked to a third-party integration were exposed. Google has since revoked the affected tokens, disabled the integration, and informed impacted Google Workspace administrators.
To safeguard users, Google recommends several measures: regularly updating Gmail passwords and avoiding reuse, enabling two-factor authentication (preferably app-based or with a passkey), being cautious of unsolicited messages, using Google’s Security Checkup tool, and switching to passkeys for stronger phishing protection.
While consumer Gmail accounts were not directly compromised, the incident highlights the risk of data leaks from third-party partners leading to more sophisticated scams. Gmail, as the world’s most popular email service, remains a prime target for hackers. Cybersecurity experts anticipate ongoing phishing campaigns leveraging the leaked Salesforce data, and Google advocates for adopting passkeys as a long-term replacement for traditional passwords.
Google has not announced further updates but continues to monitor for additional threats.
