In June 2025, a security breach in a Salesforce system used by Google put 2.5 billion Gmail users on high alert. Although no passwords or financial data were compromised, the incident exposed business contact information and sales notes, potentially setting the stage for sophisticated phishing and vishing attacks. This post explains what was leaked, why it matters to you, and the steps you should take now to safeguard your Gmail account.
What Data Points Were Leaked?
When news broke in June 2025 about the Gmail security alert linked to a Salesforce breach, the headline numbers were attention-grabbing: 2.5 billion users at risk. But what was actually leaked? The attackers, identified as ShinyHunters, didn’t get passwords, credit card numbers, or any direct login credentials. Instead, the breach exposed a mix of business contact details and internal sales notes stored in a Salesforce system used by Google.
What Was Exposed?
The compromised data includes:
Business email addresses: These are often the first step for attackers to start targeting professionals.
Names and job titles: Seemingly harmless, but enough to personalize scams.
Company affiliations and sales notes: Information that can help criminals craft convincing phishing or vishing messages.
No financial data or passwords were accessed, but that doesn’t mean the impact is minor. Attackers can use these “low-risk” details to impersonate colleagues or trusted vendors, making their scams much more believable.
Why Does This Matter?
At first glance, leaked business contacts and sales notes might sound trivial. But cybercriminals know how to turn scraps of information into dangerous tools:
Personalized phishing: Attackers use your real name, job title, and company info to trick you into clicking malicious links.
Vishing attacks: Criminals may call you, pretending to be from your company or a trusted partner, using insider details to gain your trust.
Social engineering: The more an attacker knows about your work life, the easier it is to manipulate you into revealing sensitive data.
How Did ShinyHunters Access the Data?
The group exploited a vulnerability in a Salesforce system integrated with Google’s sales operations. By leveraging misconfigured permissions and weak third-party controls, they were able to pull information that was never meant to be public. It’s a reminder that even indirect links to your Gmail account can become weak points if not properly secured.
Cloaked’s privacy tools, for example, can help minimize the amount of personal and business data you share online, reducing the risk if something like this happens again. Limiting the data trail makes attackers’ jobs much harder.
Should You Be Worried?
Every major data breach shakes our confidence in online security, but it’s easy to wonder—how bad is it, really? Let’s break down why this isn’t something to shrug off.
What’s at Stake After a Breach?
When attackers get their hands on your email, phone number, or even hashed passwords, it’s more than a minor headache. Here’s how they can exploit that information:
Phishing Attacks: Cybercriminals use your personal data to craft emails that look like they’re from trusted companies—think banks, online stores, even Google. One click on a fake link, and they’ve got you.
Vishing (Voice Phishing): Scammers can call you, pretending to be from your bank or a service provider. They use information from the breach to sound convincing.
Credential Stuffing: If you reuse passwords, attackers can try those details on other websites. Suddenly, it’s not just your email at risk—your social accounts, shopping profiles, and even work logins could be exposed.
Identity Theft: With enough details, fraudsters can attempt to open accounts or make purchases in your name.
The Real-World Fallout: Stories That Hit Home
The ShinyHunters breach is a case study in how bad things can get. When millions of Gmail addresses are leaked, attackers don’t just sit on them—they launch massive phishing campaigns. Victims reported receiving emails that looked nearly identical to official Google security warnings. Many people, in a rush or worried about their accounts, clicked malicious links and handed over their login details to attackers.
Another recent incident involved Salesforce data. After a breach, users became targets for highly convincing vishing attempts. Attackers called, referenced real account details, and tricked users into sharing sensitive information or resetting passwords. It only takes one slip for a scammer to get through.
Why It Feels Personal
It’s not just about being cautious—it’s about protecting your daily life. Most folks don’t realize how quickly a stolen email or phone number can spiral into bigger problems. The feeling of being tricked or losing control over your accounts is stressful and, frankly, infuriating.
If you’re worried about your information floating around, you’re not alone. Many people are taking steps to mask their real emails and phone numbers. For example, using a service like Cloaked can help you create aliases that keep your true details private, making it much harder for scammers to reach you—even if data leaks happen.
Stay alert. The risk isn’t imaginary. The impact of these breaches is real, and it’s smart to take them seriously.
What Should Be Your Next Steps?
Gmail security is not just about reacting to a warning—it’s about taking proactive, practical steps that make hacking your account a tall order for even the most determined cybercriminals. Here’s what you need to do next to keep your inbox out of the wrong hands.
1. Change Your Password—Now
If you’ve seen a security alert or suspect any strange activity, update your password immediately. Don’t recycle old passwords or use something easy to guess. Instead:
Create a passphrase: Use a mix of random words, numbers, and symbols (e.g., Red!Truck$Sunflower2).
Avoid personal info: Skip birthdays, names, or anything someone could find on social media.
Don’t reuse passwords: Every account needs its own strong password.
Tip: Consider using a password manager if you struggle to remember complex passwords. Some, like Cloaked, even help you generate and store passwords securely.
2. Enable Two-Factor Authentication (2FA)
A password alone isn’t enough. Two-factor authentication adds an extra checkpoint before anyone can access your Gmail. This means even if someone guesses your password, they can’t get in without your second form of verification.
Go to your Google Account settings.
Find the “Security” section and turn on 2-Step Verification.
Choose a method: text, app, or hardware key.
Why bother? Because over 90% of compromised Gmail accounts didn’t have 2FA enabled. It’s a simple step with massive impact.
3. Learn to Spot Phishing and Vishing
Hackers don’t always break down the front door. Sometimes, they trick you into handing over the keys.
Phishing
What it looks like: Fake emails pretending to be from Google or someone you trust, often urgent and asking you to click a link or provide information.
Red flags: Poor grammar, odd sender addresses, unexpected attachments, or links that don’t lead to the official Google domain.
What to do: Don’t click. Instead, go directly to your account through a browser, not through the email.
Vishing
What it is: Voice phishing—scammers call, pretending to be from Google support, claiming you need to verify account details or fix an urgent problem.
What to do: Hang up. Google will never call you out of the blue to ask for your password or verification codes.
4. Respond Fast If You Suspect Trouble
Check your account activity: Look for unfamiliar devices or locations in your Gmail security settings.
Sign out of all devices: Use the “Sign out of all sessions” option if you think someone else might be logged in.
Update recovery options: Make sure your backup email and phone number are current—this is how you’ll regain access if locked out.
5. Leverage Privacy Tools Like Cloaked
If you want an added layer of privacy, tools like Cloaked can generate masked emails and phone numbers for sign-ups, reducing your exposure to phishing and spam. That means fewer worries about your main Gmail address showing up in a data breach.
Gmail security isn’t just about reacting—it’s about steady, confident steps that put you in control.
Cloaked FAQs Accordion
Frequently Asked Questions
Cloaked is a privacy-first tool that lets you create secure aliases for emails, phone numbers, and more—shielding your real identity online. With Cloaked, your personal info stays protected from breaches, scams, and tracking.
Look for urgent messages, unfamiliar links, or strange sender addresses. With Cloaked aliases, it’s easier to identify which site may have leaked your contact details and ignore suspicious communications.
Yes. If a Cloaked alias starts receiving spam, you can pause, delete, or rotate it. This eliminates the need to change your real email or phone number.
They do different jobs. VPNs protect browsing. Password managers secure logins. Cloaked protects your real identity at the contact level—emails, phones, and personal identifiers.
Definitely. Use Cloaked aliases to avoid spam and limit exposure to companies that may mishandle or leak your data.
At Cloaked, we believe the best way to protect your personal information is to keep it private before it ever gets out. That’s why we help you remove your data from people-search sites that expose your home address, phone number, SSN, and other personal details. And to keep your info private going forward, Cloaked lets you create unique, secure emails and phone numbers with one click - so you sign up for new experiences without giving away your real info. With Cloaked, your privacy isn’t a setting - it’s the default. Take back control of your personal data with thousands of Cloaked users.
*Disclaimer: You agree not to use any aspect of the Cloaked Services for FCRA purposes.
.png)
.png)
