Gmail Warning: Critical Security Alert Affects 2.5 Billion Users After Data Breach
Google has issued an urgent Gmail warning to all users following a significant data breach that has put 2.5 billion Gmail accounts at risk. The latest Gmail warning comes after cybercriminals successfully infiltrated Google’s systems through a sophisticated attack targeting the company’s Salesforce database.
Understanding the Latest Gmail Warning
The attack, which began in June 2025, relied on social engineering tactics. According to Google’s Threat Intelligence Group (GTIG), scammers impersonated IT staff during convincing phone calls and persuaded a Google employee to approve a malicious application connected to Salesforce. This Gmail warning highlights the sophisticated nature of modern cyber threats that even tech giants face.
Google’s Threat Intelligence Group revealed that one of its Salesforce database systems, used to store contact information and related notes for small and medium-sized businesses, was breached by a hacking group popularly known as ShinyHunters, formally designated as UNC6040.
What the Gmail Warning Means for Users
The current Gmail warning indicates that while Google’s core systems remain secure, the breach has exposed customer data that could be used for targeted phishing attacks. Google has sounded the alarm with an emergency warning to all Gmail users, urging extra caution amid a growing cyber threat linked to a major third-party breach. While the company stresses that its own systems remain secure, the incident has opened the door for hackers to exploit stolen data.
Google reveals UNC6395 exploited Drift OAuth tokens Aug 8–18, 2025, forcing Salesforce to disable integrations. This development has prompted an additional Gmail warning as the attack methods continue to evolve.
Key Details Behind the Gmail Warning
A group tracked as UNC6395 engaged in “widespread data theft” via compromised OAuth tokens from a third-party app called Salesloft Drift. The breach involved sophisticated voice phishing (vishing) attacks where hackers impersonated IT support staff to gain access to sensitive systems.
The breach dates back to June 2025, when the hacker group ShinyHunters tricked a Google employee through a vishing (voice phishing) attack. This timeline shows how the Gmail warning has been building over several months as the full scope of the attack became clear.
Protecting Yourself After the Gmail Warning
Following this Gmail warning, users should take immediate action to secure their accounts. Google has warned Workspace users that they should change to passkeys after a surge in phishing attacks. Additionally, users should:
- Enable two-factor authentication immediately
- Be extremely cautious of suspicious emails or phone calls
- Verify any unexpected communications through official channels
- Update passwords regularly using strong, unique combinations
- Monitor account activity for unusual behavior
What Google Is Doing
In June, Google warned that a threat actor they classify as ‘UNC6040′ is targeting companies’ employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying a ransom to prevent publication.
Google continues to work with law enforcement and security partners to address the ongoing threat and has implemented additional security measures to prevent similar breaches.
Conclusion
This latest Gmail warning serves as a critical reminder that even the most secure platforms can be vulnerable to sophisticated social engineering attacks. Users must remain vigilant and take proactive steps to protect their accounts. The breach demonstrates why following security best practices and staying informed about emerging threats is more important than ever in today’s digital landscape.
