Google has issued a warning to its 2.5 billion Gmail users following a data breach linked to a third-party Salesforce system, raising concerns about potential phishing campaigns targeting millions of accounts.
The incident, which occurred in June, was initially believed to be limited in scope. However, in a blog post this week, Google said the breach was broader than first reported, impacting not only Salesforce Drift but also other integrations.
According to Google Threat Intelligence, the attack—attributed to a group identified as UNC6395—allowed hackers to scan customer support tickets and messages, gaining access to sensitive information such as AWS access keys, Snowflake tokens, and passwords. Although Google maintains that no Gmail passwords were directly compromised, the company warned that users remain vulnerable to phishing and social engineering attempts.
Reports from Forbes indicate that Google has advised users to change their Gmail passwords and enable additional protections such as two-factor authentication and passkeys. The company also warned that attackers have begun impersonating Google employees via calls and text messages to trick users into revealing login details.
The cybercrime group ShinyHunter, linked to previous large-scale breaches involving Microsoft, Ticketmaster, and AT&T, has been named as the likely culprit. While much of the stolen data was already publicly available, Google said the attackers may attempt to use it to set up phishing websites.
