Stay
UpdateD
Join the BPC
Email List
Stay up to date on exciting projects and upcoming events from the Black Promoters Collective.
Google has warned Gmail users to update their passwords and take extra safety measures after a group of hackers accessed a massive database containing account holders’ information.
There are about 2.5 billion Gmail users, and changing passwords regularly is a helpful tool in protecting sensitive data. Additionally, account holders can utilize other security methods, such as two-step verification, to confirm their identity, providing an extra layer of security.
Google has advised users to be aware of suspicious activity and protect themselves, as hackers have employed various intrusive methods to trick account users into sharing their passwords and other sensitive data.
In a news release, Google’s Threat Intelligence Group said it issued an advisory to organizations about a widespread data theft campaign carried out by a hacker tracked as UNC6395. From Aug. 8 to at least Aug. 18, the hacker targeted Salesforce customer accounts through compromised OAuth tokens linked to the third-party application Salesloft Drift.
“The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments,” the team said.
On Aug. 20, 2025, Salesloft and Salesforce revoked all access to the Drift tokens and removed the app as a precaution due to a pending investigation. Salesforce said the incident was not linked to a flaw in its core platform.
Google also disclosed that in June, a different group, UNC6040, briefly accessed one of its own Salesforce accounts, which contained contact information for small and medium-sized businesses. The company stated that the attackers only obtained limited data, including business names and contact details that were mostly already publicly available.
“We believe threat actors using the ‘ShinyHunters’ brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” a blog post by Google Threat Intelligence Group noted.
“These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.”
ShinyHunters, which takes its name from the Pokémon franchise, formed in 2020 and has since targeted major companies, including AT&T Wireless, Microsoft, Santander and Ticketmaster, according to The Independent.
Stay up to date on exciting projects and upcoming events from the Black Promoters Collective.
©2025 Black Promoters Collective (BPC) All Rights Reserved.