Google has confirmed a breach of a corporate Salesforce system that, while not touching consumer Gmail inboxes, is now powering a noticeable surge in phishing and voice‑phishing scams aimed at billions of Gmail and Workspace users worldwide. The net effect: roughly 2.5 billion people who rely on Gmail are facing fresh social‑engineering risks, even though passwords and inbox content weren’t directly stolen in the breach itself, according to Google’s disclosure and consistent independent reporting.
What actually happened
In June, a threat group Google tracks as UNC6040often intersecting with “ShinyHunters” branding during later extortionbriefly accessed one of Google’s corporate Salesforce instances and pulled business contact details and sales notes before access was cut off, the company said. Google emphasized that the retrieved data was “confined to basic and largely publicly available business information,” and that notifications to impacted contacts were completed by August 8 following analysis and containment. None of this involved consumer Gmail, Drive, Calendar, or Google Cloud customer datasets, but the headlines and the contact data are now being used to make phishing and vishing lures sound real enough to work at scale.
Why this matters now
Scale changes everything: with Gmail’s footprint measured in billions, even a tiny bump in success rates for credential‑stealing scams can translate into widespread account takeovers and fraud across connected services, especially when fear and urgency are used as levers, as security outlets have warned this week. Coverage notes Google has observed “successful intrusions” linked to compromised passwords amid the broader wave, prompting renewed calls for stronger authentication, password hygiene, and in many cases, password changes to blunt follow‑on attacks.
A quick recap in plain terms
- The breach hit a corporate Salesforce instance, not Gmail itself, and exposed business contact data and related notes during a short access window in June, Google confirmed.
- Consumer Gmail inboxes, files, and payment details weren’t in that system; however, attackers are capitalizing on the news to run convincing phishing and vishing plays that try to steal passwords and 2FA codes after the fact, which is where the real harm happens.
What the attackers are doing, and how
This crew leans on the phoneclassic voice phishingposing as IT support, then nudging targets to approve a malicious connected app or reset steps that open the door to bulk data exports and later extortion, Google’s Threat Intelligence team reports. Initially, data was siphoned with Salesforce’s Data Loader tool; later, custom Python apps mimicked that export behavior, while infrastructure bounced through VPNs and TOR to muddy the trail, a pattern Google has tied to UNC6040’s operations this year.
Google’s confirmation and on the record
“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity,” Google wrote, adding that the data taken was “confined to basic and largely publicly available business information” and that notifications concluded by August 8 after the internal review and mitigations were complete. TechCrunch likewise reported Google’s statement that the stolen records were business‑focused contacts and notes, while key detailslike how many total customers were affected or whether a ransom was demandedremain undisclosed.
Was consumer Gmail data leaked? No, but scams are rising
Google’s message here is straightforward: the affected Salesforce system didn’t hold consumer Gmail or Google Cloud customer data; what’s happening now is opportunistic phishing that piggybacks on the incident to legitimize socially engineered resets and code‑sharing ploys targeting Gmail and Workspace users en masse. Security reporting highlights a clear pattern: a database of passwords was dumped, but attackers are tricking people into handing over credentials and 2FA codes, which amounts to the same outcome once accounts get hijacked and recovery channels are tampered with.
About that 2.5 billion figurewhat it actually signals
Media coverage frames the risk in terms of Gmail’s estimated reachroughly 2.5 billion usersbecause large‑scale phishing doesn’t need a password dump to be dangerous when a credible pretext, a familiar brand, and some scraped or exposed contact info are all in play. In other words, the figure underscores the potential blast radius for social engineering, not a one‑to‑one leak of every user’s data, which did not occur here, per Google’s disclosure.
How the scams look and sound
Reports describe an uptick in calls spoofed to resemble Mountain View’s 650 area code, where a calm but insistent “support” voice claims an urgent security issue and steers targets into password resets or one‑time code sharing “just to verify,” which is the trap. These calls often coincide with polished emails styled as Google alertssending people to fake sign‑in pages that collect credentials and sometimes manipulate MFA flows, leading to lockouts and rapid takeover of connected accounts and services.
Snapshot table: what was and wasn’t breached
| Area | Status |
| Google corporate Salesforce (SMB contacts/notes) | Accessed in June; basic business contact data exfiltrated |
| Consumer Gmail/Drive/Calendar data | Not stored in the affected system; not part of this breach |
| Gmail passwords/payment info | Not stolen in the incident; scammers now try to harvest them post‑breach |
Timeline is fast but consequential
- June 2025: One Google corporate Salesforce instance is accessed by UNC6040; contact data is exfiltrated during a short window before access is terminated, per Google.
- June–August 2025: Google Threat Intelligence details the vishing‑to‑data‑theft pattern and notes UNC6240‑style extortion tactics that often borrow “ShinyHunters” branding to increase pressure on victims.
- Early–mid August 2025: Google completes notifications by August 8 and warns of a potential move toward a ShinyHunters‑branded data leak site to escalate extortion in related activity, even as direct ties vary by case.
- Late August 2025: Major outlets advise billions of Gmail users to tighten defenses as phishing and vishing reports rise globally, with specific guidance on passwords and passkeys.
The wider Salesforce wave behind the scenes
In parallel, a separate but related campaign hit Salesforce customer environments via compromised OAuth tokens tied to a Salesloft–Drift chat integration between roughly August 8 and August 18, with hundreds of organizations potentially affected and clear signs of bulk exports targeting access keys and tokens, according to incident reporting and vendor advisories. Investigators stress this wasn’t a core Salesforce platform vulnerability; rather, it abused third‑party integrations, which led to rapid token revocations and re‑authentication requirements across impacted stacks.
Why “basic” data still packs a punch
Names, titles, phone numbers, and company context sound harmless until that information is used, mid‑call, to drop believable specifics, time outreach during business hours, and guide a hurried reset that hands over a password or one‑time passcode, which is game over for account security in many cases, Google’s team notes. Once an attacker’s inside, it’s common to adjust recovery methods, add devices, or approve new app connections, which makes lockouts stick and downstream fraud much easier to pull off than most people expect, as recent coverage has explained.
What Google and security outlets advise now
- Move to passkeys and enable non‑SMS multi‑factor authentication to blunt phishing pages and code‑stealing tricks that target passwords and text messages, a best practice repeatedly emphasized this week.
- Use strong, unique passwords and consider a change if any suspicious prompts, unexpected reset emails, or odd “support” calls were encountered; brief second thoughts are worth acting on in this environment, experts say.
- Run Google’s Security Checkup to review devices, recovery channels, and third‑party app access; prune anything unfamiliar to shrink the attack surface and remove easy social‑engineering pivots.
Quotes that capture the moment
“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,” Google stated regarding the Salesforce incident, as cited in external reporting and its own threat post updates. “We believe threat actors using the ‘ShinyHunters’ brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” Google Threat Intelligence added, noting notifications to affected parties concluded by August 8.
A typical scam, start to finish
- A call comes in spoofed to resemble a Google‑linked number, sometimes with the 650 area codeand the agent sounds credible, friendly even, but firm about an urgent security issue that “can’t wait,” which nudges quick compliance.
- The caller walks through a password reset or requests a one‑time code, and a follow‑up email points to a convincing sign‑in page; the moment those details are entered or spoken aloud, the account is effectively theirs, often followed by a swift lockout and recovery changes that are hard to unwind.
Who’s “ShinyHunters,” and why the label matters
The “ShinyHunters” name, which Google links to UNC6240‑style extortion messaging in this broader ecosystem, has surfaced in multiple high‑profile breaches in recent years, and its notoriety is now a toolwhether perfectly accurate in each case or notto ratchet up pressure on victims, researchers say. Google also notes overlaps with other criminal communities, including elements tied to “The Com,” which suggests shared tooling and tradecraft rather than a single monolithic outfit behind every phase of these campaigns.
What enterprises should do next
For Salesforce environments, audit connected apps, tighten “API Enabled,” “Customize Application,” and “Manage Connected Apps” permissions, and enforce IP restrictions to narrow where authorizations and logins can occursteps Google recommends to curb Data Loader‑style exports and malicious OAuth abuse. Security teams should ingest Salesforce Shield logs, watch for unusual bulk exports, and rotate keys and tokens in line with Salesloft–Drift advisories, given the focus on harvesting cloud credentials during the August OAuth campaign.
Practical defenses for individuals
- Turn on non‑SMS MFA and adopt passkeys to reduce exposure to credential‑stealing pages and code‑theft schemes that have spiked alongside breach‑themed phishing.
- Create a strong, unique password, and don’t hesitate to change it if anything feels off. Odd reset emails, unexplained prompts, or a surprise “support” call are all valid triggers to take action, according to security guidance this week.
- Use Google’s Security Checkup to verify devices and recovery options, and remove unfamiliar third‑party access, which cuts off common avenues attackers use after initial compromise.
What’s still unclear, and what to watch
Google hasn’t disclosed how many organizations or contacts were touched by the June Salesforce breach, nor has it confirmed whether any ransom demands landed in that specific case, though its threat post outlined a likely shift toward a data leak site by actors using the “ShinyHunters” label in related extortion. The true scale of phishing and vishing waves piggybacking on these headlines is tough to measure, but security reporting indicates a clear uptick and a clear playbook aimed at Gmail users globally.
Bottom line: steady habits, fewer surprises
The breach didn’t spill Gmail inboxes onto the web, but it handed social engineers new talking points and contact leads, and at Gmail’s scale, even small percentages add up fast, which is why stronger authentication and healthy skepticism toward unsolicited “support” are now simple, essential habits, not nice‑to‑haves.
