Google data breach: 2.5 billion gmail users at scam risk

The current status of the developing Google-related data breach issue on August 29, 2025 , in Google data breach: 2.5 billion gmail users at scam risk, The breach arose out of a Salesforce CRM hack.

What’s Happening?

• Mass Data Exposure of Gmail Users

The search engine giant Google has also sent an emergency message to the almost 2.5 billion users of its Gmail service, urging them to change passwords and settings and increase account protection. The breach arose out of a Salesforce CRM hack in which attackers associated with the group ShinyHunters stole business contact data by way of a voice phishing (vishing) attack.

• Phishing & Vishing Surge

There were no stolen passwords. Nevertheless, leaked contact information has already been used to perpetrate advanced phishing and impersonation scams, such as phone calls whose number has been spoofed to appear as part of the 650 area code of Silicon Valley.

• Scope & Impact

It is regarded as one of the most massive cybercrimes in the recent history of Google, which underlines the fact that even publicly shared business information can enhance cyber threats when used improperly.

• Additional OAuth Token Breach

Google independently reported that the group of threat actors UNC6395 used OAuth tokens related to SalesloftDrift integration between August 818, 2025 and involved not only Salesforce but a variety of Google Workspace integrations. To be on the safer side, Google suspended the affected tokens and disabling the corresponding integration feature.

• Compromised Add workspace Accounts.

Google has observed that attackers also accessed a small amount of Google Workspace accounts through stolen OAuth tokens which widens the affected scope from what was initially estimated.

What Should You Do Now?

1. Update Your Gmail Password

Use a powerful and distinct password- not used on multiple sites.

2. Active Two Factor Authentication (2FA) or Passkeys.

Preferably via non-SMS methods for stronger protection.

3. Ignore Unsolicited Calls or Emails

Google will not reach out to you over the phone or via email to ask to provide log-ins or 2FA codes. Dial off in case of suspicion of a vishing activity.

4. Watch for Phishing Scams

Watch out on emails or texts that claim to be Google, and demand credentials or verification codes.

5. Review Account Activity and Access Permissions

Monitor unrecognized logins or devices and clear the suspicious access.

6. Utilize Security Tools

Checkup your Google security, think about the Advanced Protection Program, and use a variety of authenticators.

How to Protect your Google Account.

1. Change Your Password Right now.

• Use a long, special password (12 or more characters, a combination of letters, numbers and symbols).
• Always do not use the same password in another place.
• Take into account a password manager (Bitwarden, 1Password, LastPass, Google Password Manager) in order to create/store it securely.

2. Enable 2-Factor Authentication (2FA) / Passkeys.

• Go to: myaccount.google.com/security
• Under “Signing in to Google”, enable 2-Step Verification.
• Use Google Authenticator app or a hardware key (YubiKey, Titan Key) – do not use SMS-based 2FA unless you have no other options (SIM-swapping can be performed by hackers).

3. Complete a Google security checkup.

• Visit Google Security Checkup
• Review:

o Devices logged in

o Third-party apps with access

o Suspicious recent activity

4. Revoke Unnecessary App Permissions

• Check Google Account Permissions
• Uninstall applications/ services that are not used (they are frequently used in attacks).

5. Set Up Account Recovery

• Enter/ update a backup phone number and secondary email (to recover in case locked out).

Make sure that you are the only one who is in charge of these recovery methods.

6. Enable Alerts

• Turn on Security Alerts ON- Google will notify you in the event that a person tries to log in or access your account.

 

How to Spot Phishing & Vishing (Fake Calls/Emails)

This breach is already being used by attackers with scam emails and phone calls. The following is an explanation of how to secure yourself:

1. Red Flags in Emails

• Some sense of urgency: Your account will be shut down unless you do the following…
• Suspicious links: Hover over links If the link is not accounts.google.com, do not click.
• Attachments: Google does not send login form or files.
• Mismatch of senders: A fraud could be a support-google@gmail.com (non genuine).

Safe senders: @google.com / @accounts.google.com

 

2. Vishing Red Flags in Phone Calls.

• Caller states that he is Google support requesting codes.
• Fraudulently obtained 650 area code (Google’s HQ number).
• Asks you to enter a password or 2FA code or payment details – Google never asks.

If in doubt: hang up. When you believe it is real, call Google support directly on their web site.

 

3. General Defense Habits

• Always avoid typing in your credentials into a site that was emailed or sent to you through a text message or an email.
• This is because you should use differing passwords on services (in case one password is compromised, the rest will be secure).
• Keep your browser and phone updated to remedy security defects.

 

Extra-Protective Option: Google Advanced Protection Program – It is available to any person, although it is created to protect people who are more vulnerable to these attacks (journalists and executives and so on). It has physical keys and it prevents nearly all phishing.

Also visit-https://iggram.com/