Google has issued an emergency warning to billions of Gmail users after uncovering a wave of cyberattacks linked to the notorious hacking group ShinyHunters. The group, infamous for high-profile breaches at Microsoft and Ticketmaster, is now exploiting stolen data and impersonating IT staff to compromise corporate accounts worldwide.
A New Front in Cybercrime
Google’s Threat Intelligence Group (TAG) confirmed that the hacker collective ShinyHunters, which first emerged in 2020, has resurfaced with a sophisticated campaign aimed at Gmail and Google Cloud users. The hackers are exploiting stolen credentials from third-party breaches most recently Salesforce-related incidents and pairing them with social engineering to penetrate corporate networks.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
The attackers reportedly pose as IT personnel over the phone, tricking employees into revealing passwords or clicking on malicious links. Once inside, they leverage compromised accounts to steal sensitive business information, which is then weaponized for extortion. Victims are threatened with the release of confidential data unless ransom demands are met.
ShinyHunters’ Expanding Playbook
The ShinyHunters group, whose name is inspired by the Pokémon franchise, has become synonymous with large-scale data breaches. Their operations have targeted multinational companies, including Microsoft, Santander, and Ticketmaster, resulting in the theft of millions of user records.
While earlier attacks focused largely on selling stolen data on underground forums, investigators now warn that the group may escalate. According to TAG, ShinyHunters are preparing to launch a dedicated data leak site (DLS) to amplify their extortion campaigns. The shift reflects a broader trend where stolen information—once considered “basic business data”—is being turned into a weapon for systemic disruption.
The Scale of the Threat and Google’s Response
Google emphasized that its own systems remain secure but acknowledged the scale of the threat. Gmail and Google Cloud, with a combined 2.5 billion global users, represent an enormous target surface. The company began notifying impacted users by email on August 8 and has urged all customers to strengthen their defenses.
Recommendations include enabling two-factor authentication, frequently updating passwords, and carefully scrutinizing unsolicited communications particularly calls from individuals claiming to be IT staff. Google’s warning follows growing evidence that the attackers are focusing on English-speaking branches of multinational corporations, where impersonation tactics have proven “particularly effective.”