When Google Gets Phished: Data Of 2.5 Billion Accounts leaked

Sometimes, the most devastating hacks don’t require advanced code or zero-day exploits—just a well-placed phone call. In June 2025, one of the most powerful tech companies on Earth, Google, fell victim to an old-school social engineering scam. The result? Personal and business contact data tied to an estimated 2.5 billion Gmail accounts was exposed.

What makes this breach truly disturbing isn’t just the number—it’s the simplicity of the method. A scammer called a Google employee, impersonated IT support, and convinced them to approve a fake app. That single moment of misplaced trust unlocked access to an enormous Salesforce database. From there, the attackers exfiltrated millions of records—possibly more.

This article breaks down exactly how it happened, why it matters even though passwords weren’t stolen, and what every business can learn from Google’s very human mistake.

How the Breach Happened

At the center of this attack is a well-known threat actor group called ShinyHunters. Over the last several years, they’ve built a reputation for targeting corporate systems through weak links in cloud infrastructure. This time, their weapon of choice was a Salesforce feature—and the human tendency to trust voices on the phone.

The attack began with a tactic called vishing (voice phishing). A Google employee received a phone call from someone pretending to be part of Google’s internal IT team. The caller asked them to install what appeared to be a standard Salesforce “connected app”—a tool that employees use to move data in and out of Salesforce platforms. It was disguised to look like Salesforce’s legitimate Data Loader app.

Once approved, the app granted the attackers access to a Salesforce instance Google used to store contact and engagement records for small- and medium-sized business advertisers. These records included company names, contact emails, phone numbers, account notes, and related metadata.

It wasn’t long before Google’s own threat team realized something was wrong and cut off the app’s access. But by then, the data had already been exfiltrated.

What Was Exposed

While it’s true that no passwords or credit card numbers were stolen, the nature of the exposed data makes this breach deeply problematic.

The attackers gained access to:

Email addresses (many linked to Gmail accounts)
Phone numbers (including mobile numbers)
Business and organization names
Internal notes and contact context used for marketing or account support

The affected dataset included an estimated 2.5 billion records. Some sources dispute whether this means 2.5 billion unique users or simply 2.5 billion total contact entries—potentially with duplicates. Still, the scale is jaw-dropping.

This kind of data is a goldmine for scammers, especially those running phishing and impersonation schemes.

ShinyHunters: The Group Behind the Hack

ShinyHunters is not new to the cybercrime world. They’ve been linked to attacks on brands like Ticketmaster, Adidas, and even multiple insurance and retail firms. Their style is opportunistic, scalable, and increasingly reliant on social engineering over technical exploits.

In this case, the attackers exploited Salesforce’s flexibility. By getting their fake app approved as a connected tool, they didn’t have to break in—they were invited in. It’s the same as sending someone a fake contractor badge and watching them walk through the front door.

In some reports, ShinyHunters reportedly demanded a ransom after the breach. One claimed they asked for the Bitcoin equivalent of $2.3 million. Whether or not Google responded is unclear.

Why This Breach Still Matters Without Passwords

You might think: “No passwords? No credit cards? So what?” But this breach shows how damaging data leaks can be—even when the data appears low-risk on the surface.

Here’s why it’s dangerous:

Identity and Impersonation Threats

The stolen records can be used to impersonate legitimate business representatives. Attackers can mimic salespeople, account managers, or even customer support agents—especially because they now have access to internal notes and contact history.

Tailored Phishing and Vishing

With real names, job titles, and communication history, attackers can craft targeted emails, texts, and calls that feel authentic. People are far more likely to fall for a scam if the message mentions something specific to their business or past conversations.

Supply Chain Risk

If your organization has interacted with Google Ads or Gmail for Business, your company’s contact details may be among those compromised. That puts not just your team at risk, but also your customers and partners.

Signal to Other Hackers

Finally, a successful breach at Google sets a dangerous precedent. If one of the world’s most secure companies can be phished, anyone can. This success will almost certainly inspire copycat attacks.

Timeline of the Breach

June 2025: ShinyHunters uses voice phishing to trick a Google employee into installing a fake Salesforce app.
Shortly After: Google’s security team identifies suspicious access and cuts it off.
Early August 2025: Google publicly confirms the breach after internal investigations.
Mid-August 2025: News spreads rapidly as scam calls, phishing attempts, and impersonation attacks rise globally.
Late August 2025: Google issues security guidance, and Salesforce urges customers to audit their connected apps.

How Salesforce Played a Role

While the breach did not originate from Salesforce itself, the platform’s features were central to the attackers’ success. Salesforce’s “connected app” functionality is designed to make it easy to integrate with other systems—but that flexibility comes with risk.

Salesforce apps can be granted extensive permissions, including full access to user data and the ability to export contacts in bulk. If an unauthorized app is approved—even briefly—it can do significant damage.

This incident has prompted Salesforce to issue security recommendations to all enterprise users. Among their tips:

Review connected apps regularly
Restrict which apps can be installed without admin review
Enable IP whitelisting for Salesforce access
Use two-factor authentication for admin actions

Lessons for Businesses and Teams

There is a lot you can do to help your employees and your company to try and prevent breaches like this. Find tips for prevent dataloss here, and read up on engaging your employees in our previous blog post here. Specific to this breach, some more ideas:

1. Train Employees Against Voice Phishing
This is arguably the most important takeaway. Every employee should be trained to spot suspicious calls. Internal IT staff should have specific, verifiable procedures for contacting users.

2. Audit Your Connected Apps
Whether you use Salesforce, Google Workspace, or any other SaaS platform, conduct a quarterly audit of what apps have access—and what permissions they hold.

3. Use IP Restrictions and Admin Approvals
Limit which IP addresses can connect to your CRM, and require admin approval for any connected apps—no exceptions.

4. Monitor Data Exports
Enable alerts for large data exports or unusual login activity. Many companies don’t realize they’ve been breached until it’s too late.

5. Accept That No One Is Immune
This is not just a Google problem. The moment you think your organization is too secure to be phished, you become the most vulnerable.

Final Thoughts

The Google–Salesforce breach is a clear example of how cybersecurity often hinges more on human judgment than technological defenses. Despite Google’s world-class security infrastructure, one call from a convincing scammer was all it took to expose billions of contact records.

While the breach did not involve passwords or direct financial data, it opens the door to an avalanche of follow-up attacks. It’s a harsh reminder that in cybersecurity, vigilance is not a policy—it’s a habit.

The solution doesn’t lie in paranoia, but in preparation. Train your teams, audit your tools, and respect the reality that even the most well-defended systems can be breached through something as simple as a phone call.