By Alfaiz Nova, Cybersecurity Expert

Home
connected app

Gmail Users Under Siege: ShinyHunters Weaponize Salesforce Breach for 2.5B‑User Phishing Blitz

ShinyHunters abused a Google Salesforce app to steal contact data—now fueling Gmail phishing at 2.5B scale. What happened and how to lock down account
A laptop screen showing a spoofed "Google security alert" in a Gmail inbox, with a phone nearby showing an incoming "Support" call from a 650-area code. A red banner warns of vishing or phishing


 Google confirmed that a ShinyHunters-linked campaign abused access to a Google Salesforce environment via voice‑phishing and a malicious connected app, exposing business contact data now weaponized for large‑scale Gmail phishing/vishing; while passwords were not leaked, Google issued broad guidance urging password changes, passkeys/MFA, and heightened vigilance for all 2.5B Gmail users.

What happened

  • The breach: A threat cluster tracked by Google Threat Intelligence (UNC6040) used vishing to trick an employee into authorizing a malicious Salesforce connected app (a tampered “Data Loader”), enabling export of contact details and related notes from a Google Salesforce tenant. No Gmail passwords were exfiltrated, but contact data fuels convincing phishing and support‑impersonation calls.cloud.google

  • ShinyHunters link: Extortion communications and public reporting tie the campaign’s pressure tactics and branding to ShinyHunters; some actors claim affiliation to amplify intimidation.news.trendmicro+1

Why 2.5B Gmail users are targeted

  • Scale and surface: With roughly 2.5B Gmail accounts, criminals can blend targeted details from the Salesforce data with wide‑net phishing, leading to OTP theft, password resets via vishing, and account takeovers. Media and vendor advisories warn users to harden accounts now.tomsguide+2

  • Active abuse: Users report surges in spoofed “Google support” calls (often from 650 area codes), “suspicious sign‑in prevented” lures, and refund/security scare tactics engineered for code/password capture.mashable+1

Attack playbook

  • Vishing entry: Call poses as IT/support to coerce OAuth approval of a malicious Salesforce app, granting API data access without exploiting a Salesforce vulnerability.cloud.google

  • Phishing at scale: Use business names, contact roles, and notes to craft high‑credibility Gmail lures; pivot to phone/SMS to pressure users into divulging 2SV codes or resetting passwords on attacker‑controlled pages.gulfnews+1

Google’s guidance and status

  • No password leak: Google says core systems and passwords weren’t breached; the risk is social engineering and credential interception post‑breach.tomsguide

  • User actions urged: Change passwords, enable 2‑step verification or passkeys, run Security Checkup, and scrutinize “Google support” messages and calls; emails were sent to potentially impacted users.gulfnews+1

What to do now

  • Harden sign‑in

    • Turn on passkeys or 2‑step verification; rotate weak/reused passwords; review recovery email/phone.tomsguide+1

    • Run Google Security Checkup to revoke suspicious third‑party access and log out unknown devices/sessions.mashable

  • Stop vishing/phishing

    • Do not read out codes to callers or click links sent during calls; verify security alerts directly at myaccount.google.com or the Gmail app’s Security section.gulfnews+1

  • Watch for red flags

    • Calls “from Google” asking to reset passwords, OTP code requests, or urgent refund/security notices; emails claiming “suspicious sign‑in prevented” that link to non‑google.com domains.mashable+1

Enterprise guidance

  • Salesforce hardening

    • Enforce OAuth app allowlists; require admin approval and least‑privilege scopes; monitor “connected apps” changes; block modified Data Loader clones.cloud.google

  • Anti‑vishing controls

    • Train staff on voice‑phishing; require ticket IDs and call‑back verification; monitor for mass contact exports and anomalous API queries.cloud.google

  • Incident process

    • If contacts were exposed, notify customers of targeted phishing risk; provide verified support channels and clear instructions to handle “Google support” impostors.news.trendmicro+1

Context and related activity

  • Broader campaign: Reporting links ShinyHunters to other Salesforce‑focused heists against enterprises globally, underscoring the need for connected‑app governance and vishing awareness.proton+1

  • Escalation risk: Google warned attackers may set up a data leak site (DLS) to increase pressure, a common extortion tactic to drive clicks and fear.tomsguide

Sources

  • Google Threat Intelligence on UNC6040’s Salesforce connected‑app vishing technique and ShinyHunters linkage.cloud.google

  • Proton and Trend Micro explain breach mechanics and phishing surge targeting the Gmail user base.proton+1

  • Tom’s Guide, Gulf News, Newsweek, Economic Times on Google’s broad alert to 2.5B users and recommended protections.newsweek+3

  • Mashable walkthrough: Security Checkup steps and common scam lures to avoid.mashable

Hey there! I’m Alfaiz, a 21-year-old tech enthusiast from Mumbai. With a BCA in Cybersecurity, CEH, and OSCP certifications, I’m passionate about SEO, digital marketing, and coding (mastered four languages!). When I’m not diving into Data Science or AI, you’ll find me gaming on GTA 5 or BGMI. Follow me on Instagram (@alfaiznova, 12k followers, blue-tick!) for more. I also run https://www.alfaiznova.in for gadgets comparision and latest information about the gadgets. Let’s explore tech together!"
NextGen Digital... Welcome to WhatsApp chat
Howdy! How can we help you today?
Type here...