Google denies security alert for 2.5 billion Gmail users

A hacking group known as ShinyHunters infiltrated a Salesforce database used by Google in June 2025, sparking fears of a massive compromise of Gmail accounts. Contradicting alarmist headlines, the company firmly denied that 2.5 billion Gmail users are at immediate risk, labeling such claims “entirely false.” The incident, which involved business contact information, did not expose passwords or sensitive personal data. However, the breach triggered a wave of phishing attacks, with scammers posing as Google support to steal credentials. The company emphasizes Gmail’s robust security and recommends preventive measures, such as using passkeys. This article clarifies the facts, details the incident, and guides users on how to stay protected.

Although the breach occurred, its impact was limited to a specific set of corporate data, with no direct connection to personal Gmail accounts. The confusion stemmed from exaggerated reports suggesting a widespread threat, leading many users to believe they needed to change their passwords immediately. Google, in an official statement, refuted the need for a global emergency action.

• What happened: Hackers accessed a Salesforce database with business information.
• What was not compromised: Passwords, emails, or financial data of Gmail users.
• Google’s response: Notified affected parties by August 2025 and disabled suspicious integrations.
• Current risk: Increased phishing attempts exploiting news of the breach.

The company stressed that its systems block over 99.9% of phishing and malware attempts, but urged users to remain vigilant against scams.

Details of the incident

The attack, carried out by the ShinyHunters group, exploited a vulnerability in a Salesforce corporate database used by Google to manage contacts for small and medium-sized businesses. The hackers, known for targeting large corporations, used social engineering, posing as IT support to deceive a Google employee. This allowed access to information such as company names, contacts, and customer relationship notes, but no sensitive user data was compromised. Google identified the breach in June, cut off the hackers’ access, and completed notifications to affected parties by August 8, 2025.

The scope of the leak was initially overstated by reports suggesting a direct threat to all 2.5 billion Gmail users. The company responded swiftly, issuing a denial on September 1, 2025, stating that no global alert was issued. The statement emphasized that Gmail remains secure, with advanced protections against cyber threats.

• Data accessed: Public information, such as company names and contacts.
• Google’s response: Revoked access tokens and suspended Salesforce integrations.
• Actual impact: Limited to corporate accounts, with no evidence of personal account breaches.
• Preventive actions: Notified users were advised to monitor phishing attempts.

The confusion caused by sensationalist headlines amplified panic, but Google clarified that the incident does not warrant immediate password changes for all users.

Surge in phishing attacks

While the breach itself did not compromise Gmail accounts, it led to a surge in phishing attacks. Scammers have exploited the news of the incident to deceive users, sending emails and making phone calls posing as Google representatives. These messages often claim suspicious account activity and request password changes through malicious links or codes provided over the phone. Such tactics aim to capture credentials to take control of accounts.

Reports on online forums, such as Reddit, indicate that users have received fraudulent communications, including emails from supposed Gmail delivery systems and calls from numbers with a 650 area code, associated with California. Google warns that it never contacts users directly by phone to request passwords or verification codes, advising users to ignore such communications.

• Scammers’ tactics: Fake emails, phone calls, and SMS mimicking official communications.
• Warning signs: Requests for passwords or verification codes via phone or email.
• Recommendations: Check security alerts directly on the Google account security page.
• Protection tools: Enable two-factor authentication and use passkeys.

The company also highlighted that its security filters block the vast majority of phishing attempts, but user vigilance is essential to avoid scams.

Recommended protection measures

To ensure account security, Google encourages practices that minimize cyber risks. Adopting passkeys, which use biometrics like fingerprints or facial recognition, is a key recommendation, as they eliminate reliance on traditional passwords, which can be stolen. Additionally, enabling two-factor authentication (2FA) adds an extra layer of protection, requiring a second verification method beyond the password.

Users are also advised to regularly perform security checkups on their accounts, accessing Google’s settings to review recent activities and connected devices. The company offers the Advanced Protection Program, designed for users needing enhanced security, such as journalists and executives.

Leia Tambem

Índia tem alerta de chuva, tempestade e granizo para este sábado com alívio da onda de calor

Polícia alemã procura Mirjam Ecker desaparecida desde 28 de maio em Wirft

Autoridades chinesas criam RGs digitais para rastrear 28 mil robôs humanoides do país

• Passkeys: Replace passwords with biometric authentication.
• Two-factor authentication: Adds verification via app or device.
• Security checkup: Reviews suspicious account activity.
• Advanced Protection Program: Provides extra security layers for high-risk users.
• Key tip: Never click on links in unsolicited emails.

Changing passwords regularly, while not necessary for all users post-incident, remains a good digital security practice.

Origin of the misinformation

The wave of alarmist news appears to stem from a misinterpretation of Google’s earlier communications. In July 2025, the company published a blog warning about the general rise in phishing attacks, without direct reference to the Salesforce incident. Some reports confused this post with a supposed global alert, creating the narrative of an imminent threat to all Gmail users. The mention of 2.5 billion users, corresponding to Gmail’s total user base, amplified the perception of a widespread crisis.

Google criticized the spread of inaccurate information, stating that it causes unnecessary panic and diverts attention from real threats. The company reiterated its commitment to transparency, noting that it always notifies affected users directly about security incidents, as it did with the corporate accounts impacted by the breach.

• Source of the confusion: July blog on phishing was misinterpreted.
• Effect of headlines: Panic among users who received no alerts.
• Google’s response: Official statement on September 1 debunking rumors.
• Lessons learned: Importance of verifying information before sharing.

The company urged users to rely only on official communications and avoid sharing sensationalist news.

History of the ShinyHunters group

The ShinyHunters group, responsible for the attack, is notorious for a series of breaches targeting major companies, such as Santander and AT&T. Their tactics often involve social engineering, exploiting employee trust to access corporate systems. In Google’s case, the hackers used a malicious app integrated with Salesforce to gain temporary access to the database. The group is believed to be planning to escalate its actions, possibly by creating a data leak website.

Google’s threat intelligence report noted that ShinyHunters often use stolen data for extortion campaigns, demanding cryptocurrency payments to withhold information. While the June breach did not expose sensitive data, the group’s sophistication underscores the need for ongoing vigilance.

• Group’s history: Attacks on companies like Santander and Allianz.
• Attack method: Social engineering and malicious apps.
• Future risks: Potential creation of a data leak website.
• Preventive action: Monitoring suspicious activity in corporate accounts.

The company continues to investigate the group to mitigate potential future threats.

User recommendations

Although the incident does not require an immediate password change for all users, Google recommends adopting robust security practices. In addition to passkeys and two-factor authentication, users should be cautious of unsolicited emails and messages, especially those urging urgent actions like clicking links or providing verification codes.

The Google account security checkup, available in settings, allows users to identify unrecognized devices and revoke suspicious access. The company also suggests using services like Proton Mail for email aliases, which protect the primary address in case of leaks.

• Regular checks: Access the Google account security section.
• Avoid suspicious links: Do not click on unsolicited emails or messages.
• Email aliases: Use temporary addresses to protect the main one.
• Digital education: Learn to identify phishing attempts.

Google reiterates that Gmail’s security remains robust, but user collaboration is critical to keeping accounts safe.