Google disclosed a data breach involving a **Salesforce database** used internally to manage potential advertisers. The breach was executed by the hacker group **ShinyHunters**, who impersonated an IT help desk employee to deploy malware and extract **business contact information** (e.g., company and customer names). While no **personal Gmail credentials or sensitive consumer data** were exposed, the stolen data fueled a surge in **highly targeted phishing and vishing (voice phishing) attacks**, accounting for **37% of successful account takeovers** across Google platforms. The attackers also compromised **OAuth tokens** for the *Drift Email* integration, prompting Google to revoke access and disable the Salesforce-Gmail connection to prevent further spread. Though the breach was contained to Salesforce and did not directly compromise Google Workspace or Alphabet, the leaked business data enabled **sophisticated social engineering scams**, increasing risks for users. Google advised password updates, non-SMS 2FA, and migration to **passkeys** (biometric authentication) as mitigation. No timeline for further disclosures was provided, but analysts anticipate **ongoing attacks** leveraging the exposed data.
Source: https://www.newsweek.com/google-gmail-data-breach-warning-2122287
TPRM report: https://www.rankiteo.com/company/googlecloudsecurity
"id": "goo21105921090425",
"linkid": "googlecloudsecurity",
"type": "Breach",
"date": "7/2022",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Potential advertisers (business '
'contact data exposed)',
'industry': 'Technology (Cloud Services, Advertising, '
'Email)',
'location': 'Mountain View, California, USA (HQ); '
'Breach Linked to Salesforce Database',
'name': 'Google (Alphabet Inc.)',
'size': '2.5 billion Gmail users (indirectly '
'affected); Google Workspace administrators '
'(directly notified)',
'type': 'Corporation'},
{'industry': 'Customer Relationship Management (CRM)',
'location': 'San Francisco, California, USA',
'name': 'Salesforce (Third-Party Vendor)',
'type': 'Corporation'},
{'industry': 'Sales Engagement Platform',
'name': 'Drift Email (Salesloft Integration)',
'type': 'Software Service'}],
'attack_vector': ['Impersonation (IT Help Desk)',
'Malware Deployment',
'OAuth Token Compromise'],
'customer_advisories': ['Avoid clicking unsolicited email links.',
'Check for login alerts in Gmail.',
'Report phishing attempts via Google’s reporting '
'tools.',
'Consider enrolling in the Advanced Protection '
'Program for high-risk accounts.'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'Low (No PII, Passwords, or Financial '
'Data)',
'type_of_data_compromised': ['Business Contact Information '
'(Non-Sensitive)']},
'date_publicly_disclosed': '2025-08-05',
'description': 'Google issued a global security alert advising its 2.5 '
'billion Gmail users to update their passwords following a '
'data breach involving one of its Salesforce databases. While '
'consumer Gmail and Cloud accounts were not directly '
'compromised, the stolen business contact details were used in '
"phishing and 'vishing' (voice phishing) campaigns mimicking "
'legitimate Google communications. The breach was attributed '
'to the hacker group ShinyHunters, who impersonated an IT help '
'desk to deploy malware and extract the database contents. '
"Google revoked compromised OAuth tokens for the 'Drift Email' "
'integration and disabled connections between Gmail and '
'Salesforce services to mitigate risks.',
'impact': {'brand_reputation_impact': ['Increased Phishing Risks for 2.5B '
'Gmail Users',
'Erosion of Trust in Google Workspace '
'Security'],
'data_compromised': ['Business Contact Information (Company Names, '
'Customer Names)'],
'identity_theft_risk': ['Low (No PII or Passwords Compromised)'],
'operational_impact': ['Temporary Suspension of Gmail-Salesforce '
'Integrations',
'Revocation of OAuth Tokens'],
'systems_affected': ['Salesforce Database (Advertiser Management)',
'Drift Email Integration',
'OAuth Tokens']},
'initial_access_broker': {'backdoors_established': ['Malware Deployment on '
'Salesforce Database'],
'entry_point': 'IT Help Desk Impersonation (Social '
'Engineering)',
'high_value_targets': ['Google Workspace OAuth '
'Tokens',
'Drift Email Integration']},
'investigation_status': 'Ongoing (OAuth token revocation and integration '
'suspension pending further analysis)',
'lessons_learned': ['Third-party integrations (e.g., Salesforce, Drift) '
'introduce attack surfaces even for tech giants like '
'Google.',
'Social engineering (e.g., IT help desk impersonation) '
'remains a critical vector for initial access.',
'OAuth token security requires stricter authentication '
'and monitoring.',
'Phishing risks escalate significantly even with '
'non-sensitive data breaches (e.g., business contacts '
'used for convincing scams).'],
'motivation': ['Financial Gain (Phishing/Scams)',
'Data Exfiltration for Resale',
'Disruption'],
'post_incident_analysis': {'corrective_actions': ['Disabled vulnerable '
'integrations (Drift Email) '
'pending security review.',
'Revoked compromised OAuth '
'tokens and enforced '
're-authentication.',
'Accelerated rollout of '
'passkey adoption to reduce '
'password-based risks.',
'Enhanced employee training '
'on social engineering '
'tactics.'],
'root_causes': ['Successful social engineering '
'attack (IT help desk '
'impersonation).',
'Inadequate safeguards for '
'third-party OAuth token '
'integrations (Drift/Salesloft).',
'Lack of real-time monitoring for '
'anomalous database access '
'patterns.']},
'recommendations': ['Replace passwords with passkeys (biometric '
'authentication) for all users.',
'Enable non-SMS two-factor authentication (2FA) across '
'Google Workspace.',
'Enroll high-risk users in Google’s Advanced Protection '
'Program.',
'Monitor for phishing/vishing campaigns leveraging '
'breached business data.',
'Audit and secure third-party integrations (e.g., '
'Salesforce, Drift) with granular OAuth permissions.',
'Conduct regular social engineering drills for employees '
'(e.g., IT help desk impersonation scenarios).'],
'references': [{'date_accessed': '2025-08-28',
'source': 'Newsweek',
'url': 'https://www.newsweek.com/google-gmail-password-update-data-breach-1823456'},
{'date_accessed': '2025-08-05',
'source': 'Google Official Blog',
'url': 'https://blog.google/technology/safety-security/google-security-alert-august-2025/'},
{'date_accessed': '2025-08-28',
'source': 'Google Account Help (Passkeys)',
'url': 'https://support.google.com/accounts/answer/13115501'}],
'response': {'communication_strategy': ['Global Security Alert to 2.5B Gmail '
'Users',
'Official Blog Post (August 5, 2025)',
'Direct Notifications to Workspace '
'Administrators',
'Security Help Resources (Passkey '
'Adoption Guides)'],
'containment_measures': ['Revoked OAuth Tokens for Drift Email '
'Integration',
'Disabled Gmail-Salesloft Drift '
'Connectivity',
'Notified Google Workspace '
'Administrators'],
'enhanced_monitoring': ['Phishing and Vishing Attack Patterns'],
'incident_response_plan_activated': True,
'remediation_measures': ['Password Update Recommendations for '
'Gmail Users',
'Promotion of Passkeys (Biometric '
'Authentication)',
'Enhanced Phishing Detection Filters']},
'stakeholder_advisories': ['Google Workspace administrators notified of '
'breach and mitigation steps.',
'Gmail users advised to update passwords, enable '
'2FA, and adopt passkeys.'],
'threat_actor': 'ShinyHunters',
'title': 'Google Salesforce Database Breach Leading to Phishing and Vishing '
'Attacks',
'type': ['Data Breach', 'Phishing Attack', 'Social Engineering'],
'vulnerability_exploited': ['Human Error (Social Engineering)',
'Weak Authentication for OAuth Tokens',
'Third-Party Integration (Drift Email/Salesloft)']}