What Happened?
In June 2025, ShinyHunters—also known as UNC6040, a notorious hacker group—gained access to Google’s Salesforce database by deceiving an employee into revealing their credentials through social engineering tactics, specifically phone-based “vishing” scamsNews.com.auThe SunTom’s Guide. As a result, the contact information of approximately 2.5 billion Gmail users was exposed. While passwords were not compromised, the leaked data included names, email addresses, and other business-related contact detailsNews.com.auTom’s GuideThe Sun.
The Fallout
Following the breach, scammers launched aggressive phishing and vishing campaigns, impersonating Google support—sometimes using numbers from the 650 area code (associated with Silicon Valley)—to trick users into giving up their logins or resetting passwordsThe Economic TimesThe SunTom’s Guide.
Cybersecurity expert James Knight warned that users should not trust unsolicited phone calls or messages claiming to be from Google—as “nine times out of 10, it’s likely not”News.com.au. The exposed contact data enables highly targeted scams, making users even more susceptible.
What You Should Do Now
1. Be Skeptical of Unsolicited Communications
- Ignore unsolicited calls or messages, especially those urging immediate password changes or sharing codes—even if they appear to come from a legitimate source or local area codeNews.com.auTom’s GuideThe Economic Times.
2. Enable Two-Factor Authentication (2FA) or Passkeys
- Activate 2FA (preferably through authentication apps or physical keys).
- Google strongly recommends switching to passkeys, a more secure, phishing-resistant alternative to passwordsThe Economic TimesTom’s GuideThe Sun.
- Google has even made 2-step verification mandatory for all usersTech Observer.
3. Use Google’s Security Checkup
- Run Google’s Security Checkup tool to review and improve your account security—this can help identify weak spots and unauthorized accessForbes.
4. Join the Advanced Protection Program
- For high-risk accounts (e.g., journalists, activists), Google’s Advanced Protection requires a passkey or hardware security key, offering stronger protection—even if attackers know your passwordForbes.
5. Stay Educated on Phishing Tactics
- Learn to identify phishing signs: suspicious links, unexpected attachments, poor grammar, or urgent actions.
- Use tricks like hovering over links to reveal actual URLs before clickingForbesTom’s Guide.
Why This Matters
Although passwords weren’t stolen, the breached contact data allows attackers to craft convincing scams—via email, phone, or text—because they now look more legitimate. With users receiving increased phishing attempts, protecting your account has never been more criticalTom’s GuideThe Economic Times.
Summary Table
| What Was Breached | Risk | What You Can Do |
|---|---|---|
| Contact details (names, emails) of 2.5B users | Targeted phishing and vishing attacks | Enable 2FA or passkeys; run Security Checkup; beware of scams; consider Advanced Protection |
══════════════════
Remember: vigilance + strong security practices = your best defense!
