Google database hacked, 2.5 billion Gmail users at risk

Google has confirmed a breach of its Salesforce database system that potentially exposed the data of up to 2.5 billion Gmail users, reported NDTV Profit. The attack, carried out by the notorious hacking group ShinyHunters, raises fresh questions about data security at one of the world’s most influential technology companies.

The hackers targeted Google’s corporate Salesforce instances, which were used to store customer and company contact information, as well as related notes for small and medium-sized businesses. According to the company, while names and basic data were accessed, passwords and authentication credentials were not compromised.

Google linked the intrusion to cybercriminal activity it attributed to a group known as UNC6040. The company said it has contained the breach and taken remedial steps to secure its systems, but did not disclose precisely when the breach took place or how long attackers had access to the data.

In a statement, Google stressed: “General data such as customer and company names were impacted. No passwords or sensitive authentication credentials were exposed.”

Who are ShinyHunters?

The hacking group responsible, ShinyHunters, has gained notoriety for a string of large-scale cyber intrusions in recent years. The collective has previously been linked to breaches at several high-profile firms, including Tokopedia, Microsoft’s GitHub repositories, and database leaks affecting millions of consumer records worldwide.

Cybersecurity analysts say the group is motivated by both financial gain and reputation. Stolen data is often sold on underground forums, increasing the risk that information accessed in the Google breach could be monetised or used for phishing and identity fraud.

With Gmail boasting more than 2.5 billion users globally, concerns quickly spread that the breach could affect ordinary account holders. However, cybersecurity experts caution that while leaked customer and company names are serious, the absence of password data may limit direct risks to accounts.

The breach comes at a sensitive moment for Google, which is already facing heightened scrutiny from regulators and governments over its handling of user data. Privacy advocates argue the incident underscores the need for greater transparency and accountability.

Google has not confirmed whether it intends to notify all potentially impacted users directly. In similar past cases, companies have faced criticism for downplaying the scope of breaches, further eroding public trust.

The incident could draw regulatory scrutiny in multiple jurisdictions, particularly under the European Union’s General Data Protection Regulation (GDPR), which requires firms to report breaches promptly and can impose significant fines for non-compliance.

In the United States, lawmakers have increasingly signalled interest in strengthening data protection laws, citing repeated large-scale cyberattacks. A breach of Google’s scale is likely to intensify those calls.