Google has confirmed that a cybercriminal group known as ShinyHunters compromised third-party integrations through Salesforce, potentially exposing data tied to an estimated 2.5 billion Gmail and Google Cloud users.
The attack, detailed in a security advisory by Google’s Threat Intelligence Group (GTIG) and Mandiant, began on August 8, 2025. Hackers used stolen OAuth tokens from the Salesloft Drift application to infiltrate Salesforce instances, exfiltrating large amounts of corporate data including user details, case records, and sensitive credentials such as AWS access keys and Snowflake tokens.
What Happened
Investigators said the attackers ran structured queries to pull data from Salesforce objects — from usernames and email addresses to phone numbers and last login dates. Google confirmed that a “very small number” of Google Workspace accounts linked through Drift’s email integration were accessed on August 9. However, the company stressed that Alphabet systems and core Google Workspace accounts were not directly compromised.
On August 20, Salesforce and Salesloft revoked all active Drift tokens and pulled the application from Salesforce’s AppExchange. Google has since revoked compromised OAuth tokens, disabled the Drift integration, and notified administrators of affected accounts.
Industry Fallout
Security researchers say the breach highlights the risks of relying on third-party apps that connect into cloud environments. Attackers increasingly exploit these integrations as weaker entry points into otherwise secure enterprise systems. Salesforce and Salesloft have both issued advisories, and Mandiant has been brought in to assist with the investigation.
How to Protect Your Gmail Account
Google and independent experts urge users to take immediate precautions to safeguard personal Gmail accounts:
- Update Your Password: Create a new, unique password just for Gmail. Cybersecurity experts at AllThingsSecured.com caution against reusing passwords across services such as banking or social media. A password manager can generate and securely store complex logins.
- Enable Two-Factor Authentication (2FA): Add an extra layer of security with Google Prompt or a physical security key. Even if hackers steal your password, they cannot log in without your approval.
- Keep Software Updated: Regularly update Google apps, Android devices, browsers, and operating systems. Security patches often fix vulnerabilities attackers exploit.
- Stay Alert for Phishing Attempts: Be wary of emails, texts, or calls asking for sensitive details. Google warns that criminals often pose as banks, employers, or even relatives to trick users into handing over credentials. Never click suspicious links — instead, verify by contacting the institution directly.
- Watch for Warning Signs: Cybersecurity Insiders says sudden password resets, personal info changes, or spam sent from your account may indicate a breach. Forbes adds that strange financial activity on Google Pay or Play, or unauthorized changes in Google Drive, can also be red flags.
The Bigger Picture
While Google has acted to contain the incident, the scale of the breach underscores how interdependent cloud services have become — and how one weak link in the software supply chain can have global consequences. Experts say organizations and individual users alike must now treat third-party app integrations with caution, carefully review security permissions, and tighten controls around sensitive data.
A global media for the latest news, entertainment, music fashion, and more.
