Gmail breach exposed 2.5B accounts: Here's how to secure yours
What's the story
Google has issued a major security alert, warning that nearly 2.5 billion Gmail accounts may have been exposed in a large-scale data theft campaign. The company's Threat Intelligence Group (GTIG) has linked the breach to a threat actor tracked as UNC6395, who targeted accounts between August 8 and August 18, 2025. Attackers accessed Gmail data by exploiting compromised authentication tokens from third-party integrations.
Data theft
Attackers accessed sensitive information
The attackers targeted sensitive information such as Amazon Web Services (AWS) keys, enterprise login URLs, and Snowflake access tokens. Google noted that while the group attempted to cover its tracks by deleting query jobs, logs were preserved and can be used by organizations and users to verify exposure. This means that even if the attackers tried to hide their activities, there are still traces of what they did.
User response
What should you do?
In light of this breach, Google is urging all Gmail users to take immediate action. This includes resetting passwords and enabling two-factor authentication (2FA) if not already active. Users are also advised to check recent login activity in Gmail settings for any suspicious access attempts. Further, revoking app permissions by visiting the Google Account security dashboard and removing unfamiliar third-party apps is recommended.
Ongoing investigation
Google is working with affected partners to investigate further
Google has already revoked access tokens associated with the malicious campaign and is working with affected partners to investigate further. The company has not confirmed how many individual users' data was directly abused. However, it said that the scale of the breach means Gmail accounts worldwide could be affected. Notably, there is no evidence that Gmail's core systems were compromised in this incident.