Google has notified approximately 2.5 billion Gmail account holders after its Threat Intelligence Group (GTIG) identified a large-scale intrusion between August 8 and August 18.
Highlights
- Massive Intrusion: 2.5 billion Gmail accounts were affected after hackers exploited compromised OAuth tokens between August 8–18.
- Enterprise Impact: Salesforce’s customer database and Salesloft’s Drift app were targeted, prompting token revocations and app removal.
- Attack Tactics: Hacker groups UNC6395 and ShinyHunters used vishing (fake IT calls + phishing emails) to trick users into sharing credentials.
- User Data at Risk: Leaked contact info is being weaponized for phishing and fake Google alerts, increasing takeover attempts.
- Immediate Actions for Users: Update passwords, enable 2FA, review active sessions, and revoke unnecessary third-party app access.
- OAuth Risks: Once stolen, tokens allow attackers to bypass logins. Weak validation, dangling buckets, and expired cookie reuse worsen the threat.
The attack exploited compromised Open Authorization (OAuth) tokens, which allow third-party applications to access accounts securely.
The incident also affected enterprises. GTIG confirmed that Salesforce’s customer database was targeted after attackers exploited OAuth tokens linked to the Salesloft Drift application.
In response, Salesloft revoked all active tokens connected to Drift, and Salesforce removed the app from its marketplace while investigations continue.
How the Breach Happened
Google’s investigation attributed the attack to hacker groups, including UNC6395 and ShinyHunters (UNC6040). These actors are known for sophisticated tactics such as impersonating IT staff through scam calls and emails, a method known as “vishing.”
By using spoofed phone numbers and convincing phishing messages, attackers tricked users into sharing credentials or authentication codes.
Although passwords were not directly stolen, leaked customer and contact data from Salesforce are being used in targeted phishing and vishing campaigns.
Security researchers have warned that attackers are exploiting Google’s brand to create convincing fake alerts, increasing the risk of account takeovers.
Impact on Users
Google has urged affected Gmail users to take immediate action. Recommended steps include:
- Updating account passwords
- Enabling two-factor authentication (2FA)
- Reviewing devices and active sessions
- Revoking third-party app access where not needed
Security alerts were sent directly to impacted users, advising them to remain vigilant for unusual activity.
Why OAuth Tokens Pose a Risk
OAuth tokens are designed to provide secure access for third-party applications without sharing passwords.
Once compromised, they can be abused to bypass traditional login protections. In this case, attackers leveraged token vulnerabilities to gain unauthorized access, highlighting how integrated services can expand the attack surface for both individuals and enterprises.
Security researchers have previously flagged weaknesses in OAuth, including insufficient validation of parameters that could enable session hijacking. Additionally, risks extend beyond phishing.
Misconfigured Google Cloud storage, often referred to as “dangling buckets,” can provide attackers with pathways for malware injection or data theft.
Past campaigns have even revived expired authentication cookies using undocumented OAuth endpoints, enabling account takeovers despite password resets.
While Google, Salesforce, and Salesloft acted quickly to contain the immediate threat, the breach underscores broader cybersecurity challenges.
