Editor’s Note: (September 3, 2025) This blog was updated following the release of additional information on this potential risk to end users which were issued after the initial publication. 

More than 2.5 billion* Gmail users were originally projected to be at possible risk following a massive cyberattack that compromised a Google database managed through Salesforce’s cloud platform.

Google has since issued a statement that “Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue.” **

Trend Micro respects the accuracy of this updated information and has resolved this blog accordingly, on September 3, 2025. 

The incident, linked to hacker group ShinyHunters, is being described by security experts as one of the largest breaches in Google’s history.

How the Breach Happened

The attack, which began in June 2025, relied on social engineering tactics. According to Google’s Threat Intelligence Group (GTIG), scammers impersonated IT staff during convincing phone calls and persuaded a Google employee to approve a malicious application connected to Salesforce. This gave attackers the ability to exfiltrate contact details, business names, and related notes. 

Google has confirmed that no user passwords were stolen, but the stolen data is already being abused. On forums like the Gmail subreddit, users have reported a surge in phishing emails, spoofed phone calls, and fraudulent text messages. Many of these scams impersonate Google staff and trick victims into sharing login codes or resetting their passwords, opening the door to full account takeovers. 

What’s at Stake?

While the breach didn’t expose passwords directly, the stolen details provide a valuable starting point for hackers. By impersonating Google representatives, they can pressure victims into handing over login credentials or sensitive files. Some attackers are also attempting brute force logins, testing weak or common passwords such as “password” or “123456”.

The consequences are serious: victims could be locked out of their Gmail accounts, lose access to personal documents and photos, or even expose linked financial accounts and business systems.

How Users Can Protect Themselves

While this particular situation may not have impacted consumers directly, we do advise staying up to date on such incidences and employing the use of good digital habits at all times: 

1. Check if your Gmail has been exposed on the dark web. Use ID Protection’s Data Leak Checker and Dark Web Monitoring to see if your details are circulating and set up ongoing monitoring.
   
   
2. Strengthen account security by updating your Gmail password. Create a unique, strong password with ID Protection’s free Password Generator, and enable MFA for phishing-resistant logins.
   
   
3. Use Trend Micro ScamCheck’s call blocking, SMS filtering, and scam check tools to stop scammers before they reach you.
   
   
4. Verify suspicious emails claiming to be from Google. Scammers may impersonate Google to trick you into handing over login codes. That’s why you can upload questionable emails to ScamCheck to confirm if they’re fake!
   
   
5. Google is encouraging users to switch to passkeys, which use fingerprint or face recognition and are resistant to phishing. In the meantime, run a Google Security Checkup, which reviews account protections and highlights additional safeguards you can activate.

Google’s Response and Track Record

The most recent update from Google was issued September 1, 2025, reassuring users that “Gmail’s protections are strong and effective.”**

Google began notifying affected users on August 8, 2025, after completing its analysis of the breach. The company emphasized that the compromised data was “largely publicly available business information,” though experts caution that even basic details can be weaponized in targeted scams.

This isn’t the first time Google has been hit by a large-scale incident. Past breaches include the Google+ API leaks (2018), the OAuth-based Gmail phishing scams (2017–2018), and the Gooligan malware campaign (2016). Each incident taught the same lesson: attackers don’t always need passwords to cause significant harm.

Editor’s Note: An amendment was made here to reflect the fact that, as per Google, the exact identity of the threat actor cannot at present be explicitly confirmed as, or solely as, ShinyHunters. Source: Google

To download Trend Micro ScamCheck or to learn more, click the button below.

As ever, if you’ve found this article an interesting or helpful read, please SHARE it with friends and family to help keep the online community secure and protected. Also, please consider clicking the LIKE button or sharing your experience in a comment below. Here’s to a secure 2025!

*Statistic of 2.5 billion Gmail users is based on industry knowledge with third party validation including recent media coverage from Economic Times . 

**Taken from Google statement issued September 1, 2025.