Table of contents
Originally published: August 20, 2025
Grow Universe Inc., better known to customers as Café Melo, is a Harlem event space at 53 East 131st Street. The company relied on a single Gmail account to run its daily operations, but in the early hours of February 14, 2025, the company’s CEO Dwight Smith began receiving security alerts from Google.
One after another, they showed the recovery phone number had been removed, the backup email swapped, the password reset, and the account name changed.
By the next evening, the Gmail inbox that served as the hub of business operations was gone. The account had contained years of records, contracts, and business correspondence, along with the contacts that connected Café Melo to its customers and vendors.
Legal action follows business disruption
The deletion triggered a lawsuit filed against an unknown hacker in the Southern District of New York. Smith’s lawyers obtained subpoenas to Google, Spectrum, and T-Mobile, and confirmed what Smith already knew: the account was not just locked but permanently deleted.
The case highlights a reality many small businesses overlook: A Mastercard survey of more than 5,000 small and medium-sized business owners across four continents reveals that 46% have experienced a cyberattack on their current business. Of those that suffered an attack, nearly one in five then filed for bankruptcy or closed their business.
Café Melo’s loss shows what can happen when a single account becomes the backbone of operations. Basic account management and cybersecurity hygiene could have prevented this scenario. For businesses without in-house IT staff, the most practical safeguard is working through a managed service provider (MSP). MSPs can deploy enterprise-grade tools like ThreatLocker to small and midsize companies, providing controls that prevent unauthorized changes to connected cloud environments, alert against suspicious domain account behavior, and make it far harder for an attacker to leverage a compromised account.
Delayed reaction due to fake notices
Meanwhile, Smith and his attorneys are still fighting for justice for the alleged threat actor.
After the account deletion, fraudulent emails posing as official Google notices further complicated recovery efforts. One message, styled as a “Google Account Termination Final Report,” convinced Smith for days that he was corresponding with the company itself. Google later confirmed those emails were counterfeit, likely created by the same hacker to obscure their identity.
Google has produced logs showing multiple devices and IP addresses tied to the hijacked account. Spectrum and T-Mobile were ordered to disclose subscriber information linked to those logins.
Hacker remains anonymous
But the effort to unmask the hacker has met resistance: this month, an anonymous individual represented by attorneys formally objected to the Spectrum subpoena—one of the orders that, along with T-Mobile’s, could reveal their identity.
The judge has yet to respond to the objection, but whether or not the hacker becomes known, Café Melo has had to rebuild by piecing back together its contracts, re-establishing contact lists, and reaffirming customer relationships.
For a small business that ran its daily operations through a single inbox, recovery has meant starting over with the basics: recreating its digital identity from scratch to keep its doors open.
Update: Court clears the way to identify the person tied to the account deletion
The case has changed direction since the initial filing. Grow Universe now alleges the account was deleted by someone who already had access, not an unknown outsider.
After Grow Universe filed suit against an unknown defendant, an anonymous individual moved to quash a subpoena issued to Charter Communications d/b/a Spectrum that sought subscriber information tied to the IP addresses connected to the account access. Grow Universe opposed the motion, arguing that identifying the subscriber was necessary to determine who accessed and deleted the account, establish jurisdiction, and decide whether the case could proceed.
On October 10, U.S. District Judge Gregory Woods denied the motion to quash and ordered Spectrum to comply.
According to a sworn declaration filed by Café Melo’s principal, Spectrum’s response identified the subscriber associated with the IP addresses used shortly before the account was deleted. The declaration alleges that the identified individual was a former consultant who previously had limited access to the business Gmail account, was not authorized to delete it, and made changes to recovery details immediately before deletion in a way that could obscure responsibility. The individual has denied wrongdoing.
After the court’s ruling, the identified party asked to proceed anonymously and sought a protective order to keep their name off the public docket. The court indicated that this relief is not automatic and directed the parties to its rules governing protective orders.
This procedural shift matters because it reframes what the dispute is really about: not only whether the account was compromised, but whether access that once appeared legitimate was later used in a way that could disrupt operations and erase business records in a single move.
Account protection checklist
IT operations
- Enable MFA on every business email account, SaaS subscription, or other third-party service account. Ensure MFA works by testing it today on one Gmail or M365 account.
- Standardize subscription ownership by mapping each critical SaaS/email account to a responsible team or manager. Review this mapping every six months.
- Verify that recovery phone numbers and backup emails are current and owned by the business accounts, not individual, personal accounts.
- Export a copy of your critical email data or enable automated backups.
GRC and compliance staff
- Document clear procedures for onboarding and offboarding employees to email and subscription accounts, ensuring every request is ticketed and logged.
- Maintain an inventory of all critical SaaS/email subscriptions, noting contract owners, data sensitivity, and compliance obligations (e.g., GDPR, HIPAA, SOX).
Security architects
- Establish centralized log collection for subscription services and email platforms, feeding into a SIEM for correlation and threat detection.
- Deploy DMARC, DKIM, and SPF across all domains to prevent email spoofing and enhance trustworthiness of business-critical communications.
- Configure conditional access policies (e.g., block legacy protocols, restrict by device posture, enforce geo-location restrictions) for email and high-value subscriptions.
CISOs and security leaders
- Mandate periodic reporting on the security posture of business-critical email and SaaS accounts (e.g., MFA adoption rates, number of unclaimed/unused subscriptions).
- Champion a culture where critical subscription ownership is treated as a governance responsibility, not just a technical one, ensuring accountability at the leadership level.
Next step: Prevent account takeovers before they start
Email compromise is often the first domino in business disruption. ThreatLocker Cloud Detect continuously monitors Microsoft 365 for suspicious sign-ins, leaked credentials, and impossible travel. By catching anomalies early, Cloud Detect gives you the time to secure accounts before attackers can lock you out or wipe your data.
