- Unauthorized access to a Salesforce database linked to Google; no passwords leaked.
- ShinyHunters/UNC6040 used vishing and social engineering to obtain permissions.
- Up to 2.500 billion Gmail addresses could be targeted by scams.
- Key recommendations: don't share codes, enable 2FA, and monitor access.
Unauthorized access to a database hosted on Salesforce and linked to Google has raised alarms about the possible use of this information in fraud campaigns aimed at more than 2.500 billion Gmail accounts guide to account recoveryThe company detected the intrusion, blocked it, and maintains that no passwords or credentials were exposed.
According to details shared by Google's threat intelligence teams, the incident dates back to June and was publicly described in early AugustThe operation would have involved social engineering techniques and impersonation of technical support to obtain access that allowed copying basic business and contact information.
What happened and who is behind it
Google Threat Intelligence Group (GTIG) attributes the activity to UNC6040, associated with the ShinyHunters group, known for vishing (voice phishing) campaigns. The attackers posed as support staff to guide employees and validate connections from Manipulated applications, such as fake versions of Data Loader from Salesforce, thus extracting information.
The company maintains that what was accessed was basic corporate information (business names and contact information) and that were not compromised sensitive data such as passwords, credentials or financial information. Still, such material can fuel new deception tactics.
Scope and figures: why we're talking about 2.500 billion
Various specialized publications, such as Android Headlines, point out that the stolen information is being used to attempt scams more than 2.500 billion Gmail addressesIn practice, this means a potential wave of emails and calls with security pretexts to induce users to reveal their passwords.
Google indicates that it has notified affected organizations and accounts and emphasizes that the intrusion did not include passwords. However, with company names and emails in hand, the criminals can launch phishing and impersonation campaigns with a high degree of plausibility, as well as extortion attempts.
Among the tactics observed are messages and calls that pretend to come from google employees warning of alleged breaches and urgent login needs. In some cases, the attackers reportedly demanded payments in cryptocurrencies in very short periods (72 hours), under threat of disclosing the data.
How the scam worked: social engineering step by step
The attackers contacted company staff posing as legitimate technical supportAfter gaining their trust, they guided the victims to authorize application connections apparently necessary for routine tasks.
These authorizations allowed the attackers copy information from Salesforce without having to compromise passwords. The campaign has particularly affected SMEs that integrate Google services with their CRM.
Current risks for users and warning signs
The most immediate danger is not the leak of passwords, but the exploitation of contact data to attempt new scams. Emails asking for urgent login, calls demanding verification codes or links to fake panels are now the most likely hooks.
To avoid falling into the trap, remember that Google does not request passwords or 2FA codes by email or phone.. Be wary of time pressure, check the sender and always check the URL before entering data.
Quick steps to improve your security
Taking simple steps makes a differenceThese are the priority actions recommended by security teams and industry best practices.
- Never share your Google verification code. with no one, through any channel.
- Identify scam emails and calls: suspect the emergency, verify your identity and do not follow dubious links.
- Activate two-step verification (2FA/MFA) to add an extra layer to your account.
- Use strong and unique passwords and update them if you suspect any strange activity.
- Supervises activity and sessions in your Google account and close unknown accesses.
- Keep systems and apps up to date with the latest security updates.
Recommendations for companies and administrators
In corporate environments, reducing the attack surface and containing the impact requires technical controls and continuous training against social engineering.
- Principle of least privilege: Limit permissions to what is strictly necessary, including the use of tools like Data Loader.
- Managing connected apps: Audit which applications have access and who can authorize them.
- IP and location restrictions: apply access controls to defined networks and sites.
- Periodic training in vishing, phishing, and digital hygiene for all employees.
- Monitoring and audits: Review profiles, permissions, and high-volume data downloads.
- Automatic alerts to abnormal behavior to react in time.
- Protocol against extortion: do not pay, keep evidence and escalate through official channels.
The case illustrates the impact that social engineering can have. Even without a password leak, attackers are empowering large-scale impersonations with contact data. Keeping your guard up, applying 2FA, and validating any suspicious communication are the best allies today. keep Gmail accounts safe and the corporate environments that depend on them.
