Overview

• Google acknowledged a June intrusion into a Salesforce-managed database holding business files with customer contact details, stating it does not believe passwords were taken.
• Coverage attributes the attack to UNC6040, linked to the ShinyHunters group, after voice phishing tricked a Google employee into surrendering credentials.
• Criminals are using the leaked contact data to impersonate Google staff via phone calls, texts and emails to solicit login codes or trigger password resets, with some calls appearing from 650 area code numbers.
• Security experts also cite brute-force attempts against exposed Gmail addresses and describe a 'dangling bucket' tactic targeting outdated or orphaned Google Cloud access points.
• Google has not disclosed how many accounts were affected and declined further comment, while experts urge users to enable MFA or passkeys and complete a Google Security Checkup.