Recent reports suggested that Google issued a broad warning to all 2.5 billion Gmail users following a hack of Salesforce by the group ShinyHunters (also tracked as UNC6040). Those reports, however, were inaccurate. Google clarified in a statement that no widespread Gmail security breach has occurred, and its protections remain highly effective, blocking more than 99.9% of phishing and malware attempts.

While attackers continue to look for ways to infiltrate inboxes, including exploiting publicly available or leaked business information, Gmail’s security measures remain strong, the company states.

“Security is such an important item for all companies, all customers, all users — we take this work incredibly seriously,” Google said in a statement.

“Our teams invest heavily, innovate constantly, and communicate clearly about the risks and protections we have in place. It’s crucial that conversation in this space is accurate and factual,” the statement continued.

The Salesforce breach, as AFROTECH™ previously reported, did expose some business-related data, such as contact lists, company associations, and email metadata. While no Gmail passwords were stolen, the incident has led to targeted phishing campaigns. Attackers may pose as Google, IT departments or trusted vendors to trick individuals into revealing login credentials. Some scams even involve “vishing,” or fraudulent phone calls using numbers that appear to come from Google.

Phishing and vishing remain significant threats, accounting for roughly 37% of successful account takeovers across Google services, according to recent data, per Inc. With detailed information from breaches like Salesforce, attackers can craft emails referencing specific colleagues, employers or past communications, making their scams more convincing.

Experts continue to emphasize the importance of email security. Cloudflare CTO John Graham-Cummings explained to Inc., “If you do not have a good password on your email, the rest of your life is pretty much wide open, because every single service out there does reset password by sending you an email. So if I can compromise your email, I can compromise pretty much everything else you have.”

To further protect Gmail accounts, Google recommends the following best practices:

  • Adopt secure password alternatives, like passkeys — Passkeys, often tied to your device’s biometrics, are stronger than even complex passwords and cannot be phished.
  • Enable app-based two-factor authentication (2FA) — This adds an extra verification step, making it harder for attackers to gain access.
  • Stay alert to phishing attempts — Be skeptical of unsolicited messages, unusual links or calls claiming to be from Google or other trusted sources.
  • Regularly review account activity — Google’s Security Checkup tool helps you monitor connected devices and account access.

By combining these practices with Gmail’s built-in protections, users can maintain strong security while continuing to safely use their accounts.

Editor’s Note: This piece has been updated since initially published to correct inaccuracies.