Google has sent an urgent security notice to its 2.5 billion Gmail users across the globe due to an increase in phishing attempts and account takeovers related to a substantial data breach on one of the company’s third-party systems, Salesforce.
Although Google claims that sensitive content such as emails and passwords were not compromised, cybersecurity specialists indicate that the compromised data is now being used to fuel highly sophisticated scams that place millions of people at risk of losing access to their accounts and information.
What happened? Inside the salesforce data breach
In June 2025, Google identified that attackers breached a Salesforce enterprise environment that was used by its sales teams to hold small and medium-sized businesses client data. The attackers were identified as the ShinyHunters group, a notorious cybercriminal group known for previous well-publicized cyber-attacks, including previous cyberattacks against companies such as Adidas and Cisco.
The attackers used a “vishing” – voice phishing campaign where they pretended to be IT support to convince an employee to give them privileged access to the system and then exfiltrated business and contact information.
According to RedHotCyber, the exposed data included mostly company public-facing information, but its leak has resulted in a surge of realistic and targeted phishing and vishing attempts based on the data exposure as the cybercriminals have used the data to impersonate Google or trusted service providers.
How the breach spreads risk to Gmail users
No user email content or passwords were exposed in the breach, but Google believes that this breach greatly raises the chances of follow-up attacks. Hackers can access information that includes names, company names, and contact information. From this, they can create realistic phishing emails, or even phone users while claiming to be part of Google’s security team. Hackers can pressure targets to provide their authentic credentials or two-factor authentication codes by claiming they are from a Google team taking urgent action for security reasons.
Phishing tactics, especially ones that tell users about “suspicious sign-in attempts” or solicit a password reset, are already appearing in the aftermath of the breach. Google found that 37% of the more recent successful account takeovers started with targeted social engineering attempts.
What is Google doing and what should users Do?
Google has contacted all users impacted by the Salesforce breach and issued a global call for account password changes and additional account protection. The company emphasized that it will never reach out to users preemptively in the event of suspicious activity – which is often something used to help users identify a vishing (voice phishing) attack.
On August 8, Google announced it had officially ended sending email notices to affected users and published recommended guidance around password updating, 2-factor authentication (2FA) and the use of passkeys for sign-in security.
Security experts suggest the following measures for Google account users:
- Change your password: Use a strong password that is unique to the specific GMail account and any related accounts.
- Enable 2FA using an authenticator app: Avoid SMS text messages as your second factor if you can. They are much more easily hijacked. Instead, use codes supplied by an authenticator or use Google’s Advanced Protection Program.
- Be wary of phone or email scams: No matter what sort of urgency they are trying to create, no one should ever share their password, or a code generated by an authenticator.
- Check on your activity: Go to the security section of your google account and scrutinize the logins or other changes that you are unclear about.
- Look at passkeys or passphrase: Google has finally enabled passwordless logins via passkeys. Passkeys are far more resistant to phishing than passwords.
The latest warning from Gmail is part of a surge in cyberattacks against cloud and enterprise platforms from Google on down to major financial and technology companies around the world. Experts at Forbes and Mashable explain that while the data that was leaked for Salesforce is not highly sensitive on its own, it does add more fuel to fuel increasingly sophisticated phishing, extortion schemes, and account takeovers.
Recently, Google’s Threat Intelligence Group has specifically blamed the attacks on ShinyHunters and UNC6040, recommending that both businesses and everyday users be cautious. Analysts are on the lookout for possible indications that the breach may quicken criminal use of “data leak sites” for extortion or increase the use of highly skilled operators that use credential theft tools or AI.
The Gmail data breach is a critical reminder that even the largest tech companies in the world can still be victims of persistent and creative hackers. While Google’s quick disclosures and user notifications have mitigated the immediate damage thus far, this incident is a further reminder of how important “cyber hygiene” is for everyone.
Be aware, continue to improve your protections, and check Google’s security resources for further to secure your online activity.