Portuguese 
English 
Spanish 
4 min of reading 
0 comments 
Data Breach at Google Exposed Corporate Information and Opened the Door for New Digital Frauds. Criminals Use Social Engineering, Fake Calls, and Cloud Techniques to Try to Take Over Gmail and Google Cloud Accounts.
Google confirmed that a group of cybercriminals accessed, in June 2025, information from one of its corporate databases maintained on the Salesforce platform.
The company claims that passwords were not exposed and that the records mainly contained business contact data.
Since then, reports of phishing and phone scams imitating the company’s support to try to take control of Gmail and Google Cloud accounts have multiplied.
-
With a cost per shot close to zero, the DragonFire laser could change naval warfare in 2027 and provide British ships with nearly unlimited defense against drones.
-
A British startup creates tires that generate electricity in electric vehicles when passing over potholes, speed bumps, and cracks.
-
Scientists have created robots made with living cells that have their own nervous system, swim on their own, explore the environment, and self-organize without any genetic engineering, and now they want to do the same with human cells.
-
Students create a solar-powered ambulance that operates without a plug, without fuel, and still keeps medical equipment running in remote areas.
Despite the figure of “2.5 billion accounts” circulating, Google did not disclose an official number of those affected.
What Happened and When
According to a statement from the company itself, a corporate CRM instance hosted on Salesforce was accessed improperly.
The system contained contacts and notes related to small and medium-sized business clients.
The activity was identified, contained, and went through impact analysis, according to the company, which claims to have implemented the necessary mitigations.
Although the incident occurred in June, the public confirmation came in early August.
In the interim, criminals took advantage of contact data to reinforce social engineering scams and pressure victims to “verify” alleged security violations.
There was no indication of large-scale compromise of Gmail or encrypted credentials; the focus was on basic contact and business data.
How Phone Scammers Operate
In new reports, users describe calls where someone introduces themselves as a Google support employee.
The interlocutor claims to have detected a breach and, to “protect the account,” guides the victim to reset access.
During this process, they attempt to capture verification codes or passwords, allowing them to take over the account.
To gain credibility, scammers mention names and contact information that were in the exposed data.
In many cases, they appeal to urgency and use technical language to reduce suspicion.
The pattern resembles vishing campaigns (voice phishing), where human voice replaces fake emails and web pages.
Google Cloud and the Risk of “Dangling Buckets”
Simultaneously, there are reports of attacks targeting Google Cloud users that exploit the vulnerability known as “dangling buckets”.
The method relies on outdated or poorly monitored access addresses that, if reused by third parties, allow malicious file injection or data diversion.
Although the technique is known in the industry and Google recommends specific best practices to prevent it, there is no official confirmation that this vector was the main pathway in this case.
Who is the Involved Group
The attack was attributed to a collective nicknamed ShinyHunters, accompanied by security firms under the designation UNC6040.
According to Google and industry analysts, the group frequently exploits social engineering, including via phone, to invade corporate tools and download large volumes of information.
Once they have the data in hand, they often pressure victims with threats of public leakage.
What Experts Say
For Federico Simonetti, CTO of Xiid, offensives of this type “are avoidable” and, in the executive’s view, even “impossible” if organizations abandon the use of traditional credentials.
He advocates for the adoption of “truly password-free” methods, such as key-based authentication, reducing the attack surface of account reset.
Dray Agha, senior security operations manager at Huntress, draws attention to two points.
The first is the human factor, exploited through vishing and other persuasion tactics.
The second is the dependency on third-party platforms, such as CRMs and other cloud services, which can become weak links if poorly configured or monitored.
According to him, “the reported use of voice phishing by UNC6040 is a clear reminder that human factors continue to be a commonly targeted attack surface.”
How to Reduce Risk Now
The immediate guidance is to be suspicious of unsolicited contacts presenting themselves as technical support.
Google typically does not call users asking for codes, passwords, or reset approvals.
If in doubt, the way is to seek official channels and initiate verification on your own.
Additionally, enable two-factor authentication and, when possible, migrate to passkeys.
Google’s security check helps review logged devices, recent access attempts, and permissions granted to third-party applications.
For those using Google Cloud, it is advisable to periodically audit bucket names, old references in code, and access permissions, reducing the chance of exploiting orphaned addresses.
What is Still Unknown
Some information remains publicly unconfirmed.
The main one is the exact scale of the incident.
Although headlines mention billions of accounts, the company did not provide numbers, and the described data pertains to business contacts, not personal email boxes.
There is also no detail on how many vishing calls were detected nor on the success rate of these attempts.
-
-
3 pessoas reagiram a isso.