Google has issued a global security alert urging its 2.5 billion Gmail users to change passwords after a data breach tied to one of the company’s Salesforce databases.
Though consumer Gmail and Cloud accounts were not directly compromised, the incident has sparked an aggressive wave of phishing and impersonation attacks across the platform.
Why it matters
The exposed database didn’t contain account passwords or sensitive consumer records, but stolen business contact details have already been weaponized in convincing phishing emails and voice-based scams.
Google’s threat research team says phishing and “vishing” now account for roughly 37% of successful account takeovers on its platforms, underscoring how a Salesforce data leak can rapidly amplify Google data breach risk.
How the attackers got in
The actor group identified as ShinyHunters gained access by impersonating an IT help desk to a Google employee and deploying malware to extract the database contents, according to Google’s disclosure.
The breach, publicly disclosed the same day, stemmed from a Salesforce instance Google used to manage potential advertisers, and the company says only a limited set of basic business contact information was exposed.
OAuth tokens and integrations
Google’s investigation confirmed on August 28, 2025, that “the actor also compromised OAuth tokens for the ‘Drift Email’ integration,” and a small number of Workspace email accounts were accessed using those tokens.
In response, Google identified impacted users, revoked the specific OAuth tokens, and disabled the Drift integration pending further investigation.
What Google did next
To limit any lateral spread, Google temporarily suspended connections between Gmail and Salesforce services and isolated the affected integrations while it investigates.
Immediate steps for users
Google recommends updating passwords right away, enabling non-SMS two-factor authentication, and enrolling in its Advanced Protection Program to harden accounts against targeted phishing.
Users should also watch login alerts, enable phishing filters, and avoid clicking unsolicited links or answering suspicious calls or messages.
Why passkeys help
As Google notes, “Unlike passwords, passkeys can only exist on your devices,” making them resistant to remote theft or social-engineering tricks that steal typed credentials.
Switching to passkeys or hardware security keys significantly raises the bar for attackers and complements two-factor protections.
Bottom line
Although consumer Gmail passwords were not leaked, the Salesforce data theft magnifies phishing and impersonation risks for an estimated 2.5 billion users and shows how third-party integrations and OAuth tokens can widen a Google data breach.
The safest move for users today is to update credentials, enable stronger 2FA or passkeys, and consider Advanced Protection to guard against targeted ShinyHunters-style campaigns.