Members of a “remarkably devious” hacker group have been posing as Google employees to trick customers after a major Gmail breach.

Google revealed earlier this month a group called ShinyHunters had accessed its Salesforce database after it was believed to have tricked a staffer into giving away log in details.

“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,” the company said.

It was reported the breach exposed 2.5 billion Gmail accounts to the hacker group, known for its social engineering techniques.

Ironically, Google’s announcement came as an update to a blog post originally published in June saying it was tracking ShinyHunters – or UNC6040 – and explaining how the group operated.

“UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements,” it said.

“This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s (sic) Salesforce data.”

Google said it had notified affected users by August 8.

The Sun reports, however, victims in the UK were being bombarded with phone calls, emails and text messages urging them to hand over logins or reset passwords.

Cybersecurity expert James Knight told the paper there had been “a huge increase in the hacking group trying to gain leverage on this”.

“There’s a lot of vishing – people calling, pretending to be from Google, text messages coming through in order to get people to log in, or get codes to log in,” he said.

“If you do get a text message or a voice message from Google, don’t trust it’s from Google. Nine times out of 10, it’s likely not.”

ShinyHunters have allegedly been behind high-profile hacks including stealing 1.3 terabytes of Ticketmaster customer data in 2024 and obtained the data of 200,000 Australian Pizza Hut customers in 2023.

The lengths to which its members went to in order to steal data were “remarkably devious”, Federal Bureau of Investigation Special Agent Richard Collodi said last year.