Personal data of 2.5 billion Google users stolen, possibly the largest breach in history

There are approximately 7 billion mobile users worldwide. Nearly every smartphone user has at least one email address linked to their device. By that logic, the number of email users is almost equivalent to smartphone users. However, based on the definition of active users, Google currently has more than 3.5 billion active accounts. Out of these, data from nearly 2.5 billion active users has been compromised. This incident is being described as the largest data breach ever involving Google users.

Google itself has acknowledged the breach, though it has not disclosed the exact figures. It said "If you're one of the 2.5 billion people who use Gmail(new window), you need to be particularly careful when going through your emails. Google recently acknowledged a surge in effective and convincing phishing attacks(new window) targeting Gmail and Google Workspace users."

The hacking collective known as ShinyHunters is alleged to have stolen the personal data of 2.5 billion Google users. Experts suggest that sometime between late June 2025 and early July 2025, the hackers managed to infiltrate Google employees’ computers using sophisticated tactics, enabling them to siphon off vast amounts of user data. The breach came to light only after ShinyHunters placed this stolen data for sale on the dark web, triggering alarm across the global cybersecurity community.

Governments and private cybersecurity agencies worldwide have since issued urgent advisories, recommending that all Google users immediately change their passwords. The compromised dataset reportedly contains highly sensitive information, including millions of users’ contact numbers. Since most people synchronise their contacts with Google services, the scale of exposure extends beyond just 2.5 billion individuals, potentially implicating billions more whose contact details are stored in those accounts.

In addition to phone numbers, the stolen data set includes Google Notes, Gmail content, personal names, business files, and company details. While Google has clarified that no passwords were stolen, cybersecurity experts warn that the leaked dataset provides scammers with unprecedented opportunities. In the coming months, billions of users may face heightened risks of financial fraud, phishing attempts, and scam calls.

Authorities have further cautioned that since Google employee data was also breached, fraudsters may exploit this to impersonate Google itself–sending fake messages, emails, or calls under the guise of being official communication. 

The company has also urged users to enable multi-factor authentication (MFA) for an additional layer of protection.