Portuguese 
English 
Spanish 
4 min of reading 
0 comments 
Data Breach at Google Exposed Corporate Information and Opened the Door for New Digital Frauds. Criminals Use Social Engineering, Fake Calls, and Cloud Techniques to Try to Take Over Gmail and Google Cloud Accounts.
Google confirmed that a group of cybercriminals accessed, in June 2025, information from one of its corporate databases maintained on the Salesforce platform.
The company claims that passwords were not exposed and that the records mainly contained business contact data.
Since then, reports of phishing and phone scams imitating the company’s support to try to take control of Gmail and Google Cloud accounts have multiplied.
-
Liquid sugar enters Alzheimer’s radar: Framingham study with over 4 thousand participants links sodas, industrialized teas, and sugary drinks to smaller brain volume, worse memory, and silent signs of brain aging.
-
James Webb Telescope reveals rocky exoplanet ‘very close’ to Earth: The exoplanet LHS 3844 b has a dark, arid, and airless surface, with temperatures of up to 725 °C and is 48 light-years from Earth
-
UFVJM opens applications for a Master’s in Science, Technology and Innovation with 24 openings, with classes scheduled to begin in the second semester of 2026.
-
Scientists find a methane-free ecosystem in the Peru-Chile Trench, sustained by unique microorganisms that live off sulfur and challenge theories about life in extreme environments.
Despite the figure of “2.5 billion accounts” circulating, Google did not disclose an official number of those affected.
What Happened and When
According to a statement from the company itself, a corporate CRM instance hosted on Salesforce was accessed improperly.
The system contained contacts and notes related to small and medium-sized business clients.
The activity was identified, contained, and went through impact analysis, according to the company, which claims to have implemented the necessary mitigations.
Although the incident occurred in June, the public confirmation came in early August.
In the interim, criminals took advantage of contact data to reinforce social engineering scams and pressure victims to “verify” alleged security violations.
There was no indication of large-scale compromise of Gmail or encrypted credentials; the focus was on basic contact and business data.
How Phone Scammers Operate
In new reports, users describe calls where someone introduces themselves as a Google support employee.
The interlocutor claims to have detected a breach and, to “protect the account,” guides the victim to reset access.
During this process, they attempt to capture verification codes or passwords, allowing them to take over the account.
To gain credibility, scammers mention names and contact information that were in the exposed data.
In many cases, they appeal to urgency and use technical language to reduce suspicion.
The pattern resembles vishing campaigns (voice phishing), where human voice replaces fake emails and web pages.
Google Cloud and the Risk of “Dangling Buckets”
Simultaneously, there are reports of attacks targeting Google Cloud users that exploit the vulnerability known as “dangling buckets”.
The method relies on outdated or poorly monitored access addresses that, if reused by third parties, allow malicious file injection or data diversion.
Although the technique is known in the industry and Google recommends specific best practices to prevent it, there is no official confirmation that this vector was the main pathway in this case.
Who is the Involved Group
The attack was attributed to a collective nicknamed ShinyHunters, accompanied by security firms under the designation UNC6040.
According to Google and industry analysts, the group frequently exploits social engineering, including via phone, to invade corporate tools and download large volumes of information.
Once they have the data in hand, they often pressure victims with threats of public leakage.
What Experts Say
For Federico Simonetti, CTO of Xiid, offensives of this type “are avoidable” and, in the executive’s view, even “impossible” if organizations abandon the use of traditional credentials.
He advocates for the adoption of “truly password-free” methods, such as key-based authentication, reducing the attack surface of account reset.
Dray Agha, senior security operations manager at Huntress, draws attention to two points.
The first is the human factor, exploited through vishing and other persuasion tactics.
The second is the dependency on third-party platforms, such as CRMs and other cloud services, which can become weak links if poorly configured or monitored.
According to him, “the reported use of voice phishing by UNC6040 is a clear reminder that human factors continue to be a commonly targeted attack surface.”
How to Reduce Risk Now
The immediate guidance is to be suspicious of unsolicited contacts presenting themselves as technical support.
Google typically does not call users asking for codes, passwords, or reset approvals.
If in doubt, the way is to seek official channels and initiate verification on your own.
Additionally, enable two-factor authentication and, when possible, migrate to passkeys.
Google’s security check helps review logged devices, recent access attempts, and permissions granted to third-party applications.
For those using Google Cloud, it is advisable to periodically audit bucket names, old references in code, and access permissions, reducing the chance of exploiting orphaned addresses.
What is Still Unknown
Some information remains publicly unconfirmed.
The main one is the exact scale of the incident.
Although headlines mention billions of accounts, the company did not provide numbers, and the described data pertains to business contacts, not personal email boxes.
There is also no detail on how many vishing calls were detected nor on the success rate of these attempts.
-
-
3 people reacted to this.