Google has confirmed a major security incident that has placed about 2.5 billion Gmail users all over the world at risk. Infamous hacking group ShinyHunters made their way into Google’s Salesforce database in June 2025 by luring a Google employee into revealing their login credentials through a well-engineered social engineering attack.
Even though, according to Google, user passwords had not been targeted directly through the breach, cybersecurity experts warn that, since the breach, the compromised information has been weaponized into full-blown phishing and vishing campaigns. The information stolen- business files containing customer contact details, company names, and other basic details about businesses that criminals use to impersonate Google employees.
How scammers are exploiting the breach
Gmail users are reporting a surge in suspicious phone calls from scammers using 650 area code numbers (California), claiming to be Google support representatives. These fraudulent calls typically follow a predictable pattern: the caller alerts users about alleged suspicious activity on their Gmail account and then attempts to trick them into resetting their passwords or sharing verification codes.
Cybersecurity expert James Knight warns that “If you do get a text message or a voice message from Google, don’t trust it’s from Google. Nine times out of ten, it’s likely not“. Google will never call you unprompted to warn about security issues with your account.
Beyond phone calls, users are also receiving convincing phishing emails that appear to come from Google, asking for password resets or account verification. The emails often use urgent language to pressure victims into acting quickly, enabling them to carry out the complete takeover of the account.
Essential password security steps to protect yourself
1. Change your password immediately
If you have not updated the password of your Gmail account this year, do it without delay. One confidential Google survey revealed that only 36% of users frequently change their passwords, leaving the majority vulnerable to attack. An ideal password must be:
- It should be above 16 characters
- It should contain a combination of uppercase letters, lowercase letters, numbers, and symbols
- It should be totally unique to your Gmail account-never share a password among different services.
2. Use a dedicated password manager
Use a dedicated password manager like Bitwarden, 1Password, or LastPass to generate and securely store your new password instead of depending on browser-based password storage. They can create highly complex passwords that are impossible to guess or crack through brute force attacks.
3. Enable Two-Factor Authentication (2FA)
Two-factor authentication is important for the security of Gmail. It provides a significant second layer of defense to protect much better against unauthorized access to your account, even if criminals have stolen your password.
To set up 2FA on Gmail:
- Go to your Google Account security settings.
- Click on “2-Step Verification”.
- Follow the setup instructions to add your phone number or authenticator app.
Try to avoid SMS-based 2FA, which could be compromised by SIM-swapping attacks, and instead adopt authenticator apps like Google Authenticator, Authy, or hardware security keys for maximum protection.
4. Set up passkeys for enhanced security
Google recommends passkeys as the most secure method of authentication. Passkeys are tougher to bypass than traditional passwords, thereby providing a more secure sign-in experience. When presented with any sign-in window that asks for a password on a device that has a passkey, suspect fraud.
5. Complete the Google security checkup
Using Google’s Security Checkup tool is free and serves to identify vulnerabilities in your account. This automated assessment highlights your weak points and offers personalized recommendations for bolstering your account security.
Review trusted devices and Google advanced protection features
Keep, on a regular basis, the list of devices that have access to your Gmail account and remove any which you fail to recognize. Check third-party apps that have access to your Google account and revoke permissions for services you no longer use.
For maximum security, Google offers a free Advanced Protection Program for high-risk individuals such as journalists and activists. This program mandates compliance with strict security requirements, including compulsory 2FA and augmented protection against harmful downloads.
Absorb these salient security principles:
- Never will Google call you to discuss security matters.
- Never click any link in Google emails; go to your Google account instead.
- Beware of any urgent requests to reset your password or verify your account.
- If you receive questionable communications, confirm them by directly logging into your Google account using the official website.
The ShinyHunters breach presents an enormous threat for Gmail users everywhere, but the motility of security precautions can hinder user chances of falling prey to related scams. Users should protect themselves by way of strong unique passwords, including strong two-factor authentication, and awareness of various scams targeting their Gmail result.
Time is the essence-hackers do not sleep, and they are actively exploiting this breach, thus emphasizing the importance of updating passwords and enhancing Gmail security right away for all its users.
Read more: How much do I win if I have 1, 2, or 3 Powerball numbers?
