Google just dropped a security warning, and if you’re one of the billions of people who use Gmail, which I know you are, you need to pay attention.
We’re not talking about your average password scam here. This one is a bit more sophisticated.
The ShinyHunters Hack and the Vishing threat
You’ve probably heard of data breaches, but this one is different. A hacking group called ShinyHunters didn’t break into Gmail itself. Instead, they hit a Google corporate database managed by Salesforce.
The hackers used a low-tech trick, which turned out to be effective: they pretended to be IT support and convinced a Google employee to install a malicious app.
From that, they got their hands on business contact information, including names, emails, and phone numbers, for up to 2.5 billion users.
They didn’t steal passwords, because they apparently don’t need to. They are using this stolen information to launch “vishing” attacks. I didn’t know that term either.
This is a form of voice phishing. Scammers are making phone calls, pretending to be from Google, and using the leaked data to sound convincing.
They’ll say something like, “We’ve detected suspicious activity on your account,” and then try to trick you into revealing your login details or resetting your password to a new, malicious one.
This is a classic social engineering tactic, but with a more targeted and believable approach thanks to the leaked data.
Threat 2: The Silent, AI-Powered Attack
This one is even crazier. Google has issued a warning about “indirect prompt injections,” a new type of threat that uses artificial intelligence against you.
Here’s how it works:
- A Hacker Sends an Email: They send you an email that looks harmless, a document, or even a calendar invite.
- Hidden Instructions: Buried within the text is a hidden, malicious command that is invisible to you but can be read by an AI tool.
- The AI Does the Dirty Work: If your AI assistant, like Google’s Gemini, is set up to summarise or analyse your emails, it could read these hidden instructions.
The command could tell the AI to reveal your personal data, passwords, or other confidential information, all without you clicking a single link.
Think of it as a secret message hidden in a regular conversation, but the message is meant for a machine, not a person. It’s an “AI-versus-AI” cyberattack, and that is definitely scary. Not at all what we wanted from 2025.
What Now?
The game of online security is no longer just about avoiding suspicious links. The new reality is that hackers are using more sophisticated methods to get to you.
Here’s what you need to do to protect yourself:
- Use Multi-Factor Authentication (MFA) and Passkeys: This is your strongest defense. Even if a scammer manages to get your password through a vishing call, they won’t be able to log in without the extra verification step on your phone.
- Be a Skeptic: Google will never call you out of the blue and ask you to verify your password or account details over the phone. If you get a call like this, hang up immediately.
- Run a Security Checkup: Log into your Google account settings and use their Security Checkup tool. It’s a simple way to review recent activity and see if there are any devices or apps you don’t recognize connected to your account.
These attacks show that we might have to be more proactive about online safety. The threats are evolving, and so must our defenses. Don’t wait for a warning to become a victim. Take action now.
Leave a Reply Cancel reply