Overview

• Google confirmed in August that threat actors using the ShinyHunters brand achieved successful account intrusions by tricking users into revealing passwords or two‑factor codes.
• The company said data taken from one of its corporate Salesforce instances was largely basic business contact information, which attackers are using to impersonate IT or Google staff via calls, emails, and convincing fake sign‑in pages.
• Potentially affected users were notified by email on August 8, and Google urges all Gmail users to change passwords, turn on strong multi‑factor protections such as passkeys or app‑based 2FA, and be wary of unsolicited support contacts.
• Google Threat Intelligence is tracking related activity under UNC6040 and UNC6395 and cautions that the actors may escalate extortion efforts by launching a data‑leak site.
• New advisories reported this week say the activity extended beyond a single integration, with UNC6395 probing customer support tickets and other systems, heightening the risk of targeted phishing despite no consumer passwords being stolen from Google’s systems.