By Alfaiz Nova, Cybersecurity Expert

Home
2FA

2.5 Billion Gmail Users at Risk: Google Confirms Salesforce Breach by ShinyHunters

Google warns Gmail users after a Salesforce breach by ShinyHunters fuels phishing/vishing. No passwords leaked—but 2FA bypass via OAuth and codes

 

A futuristic Gmail inbox with a red phishing banner, a ghosted Salesforce CRM tile, and a security key icon highlighted, with a badge reading "2.5B at risk.

Breaking News Summary

  • Google acknowledged a breach of a corporate Salesforce database after the ShinyHunters group socially engineered access, exposing business contact data used to supercharge phishing and vishing against up to 2.5 billion Gmail and Workspace users; no passwords were taken, but attackers are impersonating Google to harvest codes and reset credentials.proton+1

  • Security teams are tracking a surge in Gmail‑themed phishing plus phone‑based vishing to bypass 2FA, with reports that ShinyHunters are preparing further leaks and extortion, and that their Salesforce campaigns may overlap TTPs historically attributed to Scattered Spider.yahoo+1

How the Breach Fueled Phishing

  • Data type exposed: company names, emails, phone numbers, and SMB account notes from a Salesforce instance—enough to craft convincing support‑style lures at scale that reference real org details without needing passwords.esecurityplanet+1

  • Lure mechanics: attackers call or text as “Google Support,” trigger urgent password resets, then capture OTPs or passcodes; email lures send to fake Google pages or OAuth consent screens.obsidiansecurity+1

Vishing and 2FA Bypass Techniques

  • Voice phishing flow: operator calls claiming account review or policy violation, then walks the user to read back a Google verification code or approve a login prompt; SIM‑swap and call‑forwarding abuse may be used on high‑value targets.news.trendmicro+1

  • OAuth token theft: helpdesk‑style calls steer victims to “connect an app / enter code” flows; a trojanized app harvests OAuth tokens, sidestepping OTP‑based 2FA. Tokens then enable API data pulls and mailbox access until revoked.obsidiansecurity

Advanced Gmail Security Configuration

  • Strong auth: move prioritized accounts to passkeys or hardware security keys and enroll in Google’s Advanced Protection Program to eliminate OTP replay risk; require re‑enrollment for any at‑risk admins.landing.google+1

  • Hardened Gmail controls (Workspace): enable enhanced phishing/malware protection, block suspicious links/attachments, and enforce external sender tagging; set high‑confidence spoofing defenses and DMARC alignment for corporate domains.guardiandigital

  • OAuth hygiene: restrict third‑party app access to verified apps; audit existing OAuth grants and revoke unused or suspicious tokens organization‑wide.landing.google+1

Detection and Response Playbook

  • Indicators to watch: spikes in Google prompt/OTP challenges, password reset requests, new device sign‑ins, and OAuth token grants; correlate with calls/texts referencing “Google Support.”yahoo+1

  • SOC actions: quarantine suspicious emails at the gateway, block lookalike domains (e.g., keyword‑salesforce[.]com, company‑my‑salesforce[.]com), and enable alerting for OAuth client consent anomalies.reliaquest+1

  • User comms: push a plain‑language advisory—Google never asks for codes via call/SMS; instruct users to navigate directly to account.google.com/security for checks, not links sent by callers.news.trendmicro+1

Enterprise Measures for Salesforce‑Linked Risk

  • CRM access review: enforce SSO/MFA for Salesforce, require step‑up with passkeys for admin tasks, and limit Data Loader/API tokens; monitor for mass exports and unusual IP/ASN patterns.reliaquest+1

  • Domain monitoring: block and watch newly registered Salesforce‑themed phishing domains and Gmail/Google lookalikes; sinkhole or preemptively warn users on matches.reliaquest

  • Supplier assurance: validate partners handling Google/Salesforce data have anti‑vishing training, callback verification policies, and OAuth/client app approval workflows.obsidiansecurity+1

Voice Phishing Detection Guide (for users and helpdesks)

  • Red flags: unsolicited calls about password resets, demands for codes, urgency or threats, and caller IDs spoofing “Google.” Hang up and call back using a known, official number.yahoo+1

  • Verification: never share 2FA codes or approve prompts from an unexpected session; confirm any support ticket exists in the admin console before acting.guardiandigital+1

  • Recovery: if a code was shared or a prompt approved, immediately revoke sessions and tokens, reset password, rotate backup codes, and review account recovery info.landing.google

more blog alfaiznova.com
Hey there! I’m Alfaiz, a 21-year-old tech enthusiast from Mumbai. With a BCA in Cybersecurity, CEH, and OSCP certifications, I’m passionate about SEO, digital marketing, and coding (mastered four languages!). When I’m not diving into Data Science or AI, you’ll find me gaming on GTA 5 or BGMI. Follow me on Instagram (@alfaiznova, 12k followers, blue-tick!) for more. I also run https://www.alfaiznova.in for gadgets comparision and latest information about the gadgets. Let’s explore tech together!"
NextGen Digital... Welcome to WhatsApp chat
Howdy! How can we help you today?
Type here...