Millions of Gmail users are being warned to change their passwords after the ShinyHunters attack struck Google's Salesforce database in June. Though that breach did not expose user information – only basic and largely publicly available business information, according to Google – it still leaves regular Gmail customers open to phishing and social engineering attacks. ShinyHunters has been particularly successful in vishing attacks where it makes a phone call impersonating IT staff in order to deceive a caller into revealing their login credentials.
Google has advised Gmail users to be on alert as it feels that the hacking group may be preparing to escalate their efforts to launch a data leak site (DLS). Those who may have been affected by the incident should have received an email. According to a Reddit post, Gmail users are now being targeted in vishing attacks coming from phone numbers with a 650 area code.
The calls themselves are from scammers that claim to be Google employees contacting victims to alert them about a security breach that affects their accounts. During these scam phone calls, the attackers attempt to take over the victims Gmail accounts by getting users to reset their password and provide this information to them. This locks the user out of their own account and hands the password over to the scammer.
How to stay safe from phishing attacks
Google has encouraged users to change their passwords, and has sent out emails to users to remind them to do so. The company is also encouraging users to enable two-factor authentication whenever possible. It's advisable to take this time to make sure that all your security questions and back up information like emails and phone numbers are up-to-date as well, so that you have an accurate way to recover your account if necessary.
Next, make sure you’ve taken all the steps possible to keep your Google accounts safe against any unauthorized access. Check out Google’s Security Checkup for recommendations on your account security and to automatically identify any vulnerabilities. You can also use Google’s Advanced Protection Program to add an extra later of security to block downloads of any harmful files and to restrict any non-Google apps from accessing your Gmail data.
Additionally, make sure you know all the signs of phishing and vishing, to stay aware and informed. Never click on anything you’re not expecting in an email or text and never give out any personal information over the phone to anyone who randomly calls you. Google will not contact users over the phone to tell them about security breaches, so don't be fooled by these attempts.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
