Google sounds alarm: Protect your Gmail from ShinyHunters’ attacks

A sophisticated cyberattack has put the security of approximately 2.5 billion Gmail and Google Cloud users worldwide at risk. The breach, detected in June 2025, targeted a Salesforce system used by Google, allowing the notorious hacking group ShinyHunters, also known as UNC6040, to access contact information of small and medium-sized businesses. Revealed by Google in August, the incident did not compromise passwords or financial data, but the stolen information is being weaponized for phishing and extortion campaigns. The company issued an emergency alert, urging users to bolster their security measures. The attack, relying on social engineering tactics like fraudulent phone calls, underscores human vulnerabilities in digital systems. The threat persists, with indications that hackers may launch a data leak site to expose stolen information.

Google acted swiftly to contain the breach, blocking hackers’ access within hours. However, ShinyHunters has already demonstrated its ability to exploit stolen data in extortion schemes. The company notified all affected users via email on August 8, emphasizing the need for preventive measures.

The incident highlights the growing sophistication of cyberattacks that exploit human error rather than technical flaws. Below, we detail how the attack unfolded, who is behind it, recommended protective actions, and the broader implications for businesses and users.

• Key targets: Small and medium-sized businesses with data on Salesforce.
• Attack method: Fraudulent phone calls (vishing) and malicious apps.
• Google’s response: Rapid containment and user notifications.

Attack tactics and social engineering

ShinyHunters employed social engineering, primarily vishing, to deceive employees. Posing as IT support staff, the hackers tricked victims into sharing credentials or installing fake apps, such as a modified Salesforce Data Loader. These tactics granted access to data stored on the Salesforce platform used by Google.

The campaign began in March 2025 but intensified in June, when Google identified around 20 U.S. and European companies as targets. The group, known for its persistence, has also attacked firms like Cisco, Adidas, and Pandora, exploiting human vulnerabilities in corporate systems.

The use of VPNs like Mullvad and TOR networks made tracking the hackers challenging. They also employed custom Python scripts to automate data extraction, reflecting an evolution in their tactics, blending manual and automated methods for maximum impact.

• Vishing: Fraudulent calls mimicking tech support.
• Smishing: SMS messages with links to fake portals.
• Phishing emails: Fake Google security alerts.
• Custom scripts: Python code for automated data theft.

Who are the ShinyHunters

Formed in 2020, ShinyHunters gained infamy for targeting major corporations like AT&T, Microsoft, Ticketmaster, and Santander. Named after the Pokémon franchise, the group focuses on stealing valuable data. They are notorious for extracting large volumes of user records and selling them on dark web forums or using them for extortion.

Google identifies the group as UNC6040 for initial intrusions and UNC6240 for extortion operations. Evidence suggests collaboration with Scattered Spider, a group known for advanced social engineering. This partnership enhances attack sophistication, using tactics like fake domains and fraudulent login pages.

The group’s decentralized structure complicates law enforcement efforts. Despite arrests linked to BreachForums, a platform for selling stolen data, ShinyHunters remains active, indicating an “extortion-as-a-service” model.

• Origin: Emerged in 2020, focused on data theft.
• Notable targets: AT&T, Ticketmaster, Microsoft, Santander.
• Methods: Social engineering, dark web sales, extortion.
• Collaboration: Suspected ties with Scattered Spider.

Threat of data leaks

Google warned that hackers may be preparing a data leak site (DLS) to expose stolen information, a tactic used to pressure victims into paying ransoms. This approach was seen in prior attacks, like Ticketmaster’s, where 1.3 terabytes of data were offered on the dark web.

While the stolen data is described as “basic and largely public,” such as company names and contacts, its use in phishing and smishing campaigns poses significant risks. Users report scam calls with hackers posing as Google staff to steal passwords or authentication codes.

Companies like Pandora and Allianz Life reported similar incidents, suggesting a broad and ongoing campaign. Google clarified that Salesforce itself wasn’t directly breached, but its clients were targeted through social engineering.

• DLS risk: Potential site to leak stolen data.
• Targeted data: Business contact information.
• Impact: Targeted phishing and smishing campaigns.
• Response: Google blocked access and notified victims.

Protective measures for users

Google recommends immediate steps to secure Gmail and other services. Enabling two-factor authentication (2FA), ideally via apps like Google Authenticator, is a top priority. Company data shows only a third of users regularly update passwords, increasing vulnerability.

Users should be wary of unsolicited calls or messages, even from seemingly legitimate numbers, due to spoofing techniques. Checking for suspicious account activity and using unique, complex passwords are also advised.

• Enable 2FA: Use authenticator apps, not SMS.
• Change passwords: Opt for unique, complex combinations.
• Be cautious: Avoid sharing data over phone calls.
• Monitor accounts: Regularly check for unusual activity.

Global scale and corporate impact

The ShinyHunters campaign extends beyond Google, with companies like Qantas, Louis Vuitton, and Dior reporting Salesforce-related breaches. Collaboration with Scattered Spider adds complexity, with fake domains mimicking corporate login pages.

Previous attacks, like the theft of 91 million Tokopedia accounts and 70 million AT&T records, demonstrate the group’s capacity for large-scale damage. The lack of technical vulnerabilities in Salesforce underscores the need for employee training against social engineering.

Google continues to monitor the situation and collaborate with authorities, but ShinyHunters’ persistence suggests more victims may emerge. Extortion campaigns, including Bitcoin payment demands, remain active, with some companies receiving threats months after initial breaches.

• Global targets: Firms in the U.S., Europe, and Australia.
• Collaboration: Shared infrastructure with Scattered Spider.
• Extortion: Bitcoin payment demands.
• Prevention: Training against social engineering.