Google warns users after Salesforce breach exposes business information, raising phishing concerns.
Threat actors impersonate Google employees, tricking users into sharing sensitive login details.
Users urged to enable two-factor authentication, use passkeys, and stay vigilant online.
Google has alerted its 2.5 billion Gmail users about a potential security threat linked to a data breach in a third-party Salesforce system earlier this year. The breach, first reported in June, has widened in scope and could expose a large number of accounts to phishing attempts.
Google elaborated that the compromise is not limited to the Salesforce-Drift integration, but also affects other connected systems, making the scope of issue larger than previously believed. The company has notified all impacted Google Workspace administrators and advised users to beware of suspicious emails and phishing campaigns.
Google Threat Intelligence Group (GTIG), Google’s internal cybersecurity team that monitors, investigates, and responds to threats targeting Google services and users, has identified the threat actor tracked as UNC6395. It was found that the threat actor systematically exported large volumes of data from numerous corporate Salesforce instances by scanning customer support tickets and messages as well as accesses sensitive information like Amazon Web Services (AWS) access keys, Snowflake-related access tokens and passwords to get access to other accounts.
While Google has admitted that no passwords were compromised, it did say that users are now at risk of phishing attempts, particularly those who use services like Gmail and Google Cloud. It also warned that the threat actors are now impersonating as Google employees by calling or texting users asking them to reset passwords or give away login codes.
According to Forbes, Google has now issued another warning asking most Gmail users to change their passwords to reduce the risk of unauthorised access. The company has also urged users to enable two-factor authentication and consider using passkeys to secure their accounts.
How It Happened?
As per Tech Radar, the breach happened when ShinyHunters, one of the most active threat actors, impersonated company staff to trick IT support teams and gain access to Google’s Salesforce instance.
Google has confirmed that the stolen data was limited to basic and largely public business information, such as customer and company names, but not passwords, reported PC World. This means that users of Google services—including Gmail and Google Cloud—are now at risk of falling victim to phishing.
How to Protect?
Google has provided security measures through its official platforms and support pages to ensure that the users are protected against unauthorised access. These measures include using Google’s Security Checkup to automatically identify security concerns and receive personalised account security recommendations.
Users can also activate Google’s Advanced Protection Program, to add an extra layer of security to block the download of potentially harmful files and restrict non-Google apps from accessing data.
Additionally, adopting passkeys instead of passwords and remaining vigilant against suspicious emails are small but crucial steps to stay protected.
