A massive cyberattack has put approximately 2.5 billion Google users worldwide on high alert. The hacker group ShinyHunters breached a Google database through the cloud-based platform Salesforce, compromising data linked to Gmail and Google Cloud accounts. The breach, first detected in June 2025, was confirmed by Google in August, when the company identified suspicious activities involving sophisticated tactics like social engineering. Announced on August 29, 2025, the incident raises serious concerns about the security of personal and corporate data. The hackers’ actions could escalate into extortion, with threats of leaking data on dark web sites. To safeguard their accounts, Google urges users to take immediate action, such as updating passwords and enabling two-factor authentication.
The attack employed advanced techniques, including impersonating IT support staff in phone calls, primarily targeting English-speaking users at multinational companies. The compromised data, according to Google, consists mostly of basic, publicly available information, but the potential for escalation has experts worried. The company is actively monitoring the hacker group, which has a history of targeting major organizations like AT&T, Microsoft, and Ticketmaster.
- Tactics used: Social engineering, such as posing as IT support.
- Primary targets: English-speaking corporate account users.
- Imminent risk: Possible creation of a data leak site.
- Recommended actions: Update passwords and enable two-factor authentication.
Google emphasizes that user security is a priority, but the scale of the attack demands immediate attention from all affected users.
How the attack unfolded
The ShinyHunters exploited vulnerabilities in the integration between Google and Salesforce, a widely used cloud software platform. The breach was initially detected by Google’s Threat Intelligence Group (GTIG) in June 2025, with the full scope confirmed by August. Hackers used social engineering tactics, such as fraudulent phone calls posing as technical support, to gain access to corporate networks.
The attack primarily targeted multinational companies, focusing on English-speaking users. The hackers employed overlapping tactics, techniques, and procedures to maximize their impact. While the accessed data is described as basic, the risk of it being used for extortion or sold on the dark web heightens the incident’s severity.
- Social engineering: Fraudulent calls mimicking IT support.
- Corporate focus: Multinational companies with large data volumes.
- Compromised data: Publicly available but at risk of misuse.
Google is working to contain the issue, but the attack’s sophistication underscores the need for heightened vigilance.
Steps to secure your account
In response to the threat, Google has outlined clear steps to protect personal and corporate accounts. The first recommendation is to update passwords immediately, ensuring they are unique and not reused across other services, such as social media or banking. Experts warn that reusing passwords increases the risk of unauthorized access.
Enabling two-factor authentication (2FA) is another critical step, adding an extra layer of security by requiring a second verification method, such as a code sent to a mobile device or Google Prompt. Keeping apps, browsers, and operating systems updated also reduces vulnerabilities that hackers could exploit.
- Update passwords: Use strong, unique passwords, ideally via a password manager.
- Enable 2FA: Set up two-factor authentication for added protection.
- Monitor updates: Keep Google and Android apps and systems current.
- Avoid suspicious links: Do not click on messages or emails requesting personal data.
These measures are essential to minimize risks and secure accounts.
Signs your account may be compromised
Detecting a breach quickly is key to limiting damage. Unexpected password changes, unauthorized updates to personal information, or spam emails sent from your account are clear indicators of compromise. Unusual financial activity on Google Pay or Google Play, such as unrecognized purchases, also signals a problem.
Additionally, unusual activity on Google Drive, such as files shared without permission, may indicate a hack. If a breach is suspected, Google advises running a Security Checkup to identify fraudulent activity.
- Password changes: Unauthorized alterations are a red flag.
- Financial activity: Strange transactions on Google Pay or Play.
- Google Drive issues: Files shared or edited without consent.
- Immediate action: Run a Google Security Checkup and update passwords.
Proactive monitoring can prevent further damage.
ShinyHunters’ track record
The ShinyHunters are no strangers to cybercrime. Known for targeting major organizations like AT&T, Microsoft, Santander, and Ticketmaster, the group has a history of extortion and selling stolen data on the dark web. Their tactics include demanding bitcoin payments within short deadlines, such as 72 hours, under threat of data leaks.
The group’s name, inspired by the Pokémon franchise, reflects their bold and provocative approach. Their ability to breach large corporations demonstrates a high level of technical expertise and organization, making their attacks particularly dangerous.
- Previous targets: AT&T, Microsoft, Santander, Ticketmaster.
- Extortion methods: Emails and calls demanding bitcoin payments.
- Dark web activity: Selling stolen databases.
- Sophistication: Highly coordinated and technical attacks.
Their repeated success highlights the need for robust preventive measures.
What to expect from Google moving forward
Google is ramping up efforts to contain the threat and prevent future incidents. The company is reviewing integrations with platforms like Salesforce and strengthening security protocols. The GTIG continues to track ShinyHunters’ activities, focusing on potential data leak sites.
Users should stay cautious of suspicious messages, particularly those requesting personal or financial information. Google also recommends regular account security checks and immediate reporting of unusual activity.
- Security review: Google evaluates external platform integrations.
- Ongoing monitoring: GTIG tracks hacker activities.
- User alerts: Beware of fraudulent messages.
- Regular checks: Use Google’s security tools routinely.
Google’s swift response is critical to mitigating the attack’s impact.