How a hacker deleted one Gmail account and disrupted an entire business

Grow Universe Inc., better known to customers as Café Melo, is a Harlem event space at 53 East 131st Street. The company relied on a single Gmail account to run its daily operations, but in the early hours of February 14, 2025, the company’s CEO Dwight Smith began receiving security alerts from Google.  

One after another, they showed the recovery phone number had been removed, the backup email swapped, the password reset, and the account name changed.

By the next evening, the Gmail inbox that served as the hub of business operations was gone. The account had contained years of records, contracts, and business correspondence, along with the contacts that connected Café Melo to its customers and vendors.  

Legal action follows business disruption  

The deletion triggered a lawsuit filed against an unknown hacker in the Southern District of New York. Smith’s lawyers obtained subpoenas to Google, Spectrum, and T-Mobile, and confirmed what Smith already knew: the account was not just locked but permanently deleted.  

The case highlights a reality many small businesses overlook: A Mastercard survey of more than 5,000 small and medium-sized business owners across four continents reveals that 46% have experienced a cyberattack on their current business. Of those that suffered an attack, nearly one in five then filed for bankruptcy or closed their business.

Café Melo’s loss shows what can happen when a single account becomes the backbone of operations.  Basic account management and cybersecurity hygiene could have prevented this scenario. For businesses without in-house IT staff, the most practical safeguard is working through a managed service provider (MSP). MSPs can deploy enterprise-grade tools like ThreatLocker to small and midsize companies, providing controls that prevent unauthorized changes to connected cloud environments, alert against suspicious domain account behavior, and make it far harder for an attacker to leverage a compromised account.

Delayed reaction due to fake notices

Meanwhile, Smith and his attorneys are still fighting for justice for the alleged threat actor.  

After the account deletion, fraudulent emails posing as official Google notices further complicated recovery efforts. One message, styled as a “Google Account Termination Final Report,” convinced Smith for days that he was corresponding with the company itself. Google later confirmed those emails were counterfeit, likely created by the same hacker to obscure their identity.

Google has produced logs showing multiple devices and IP addresses tied to the hijacked account. Spectrum and T-Mobile were ordered to disclose subscriber information linked to those logins.  

Hacker remains anonymous

But the effort to unmask the hacker has met resistance: this month, an anonymous individual represented by attorneys formally objected to the Spectrum subpoena—one of the orders that, along with T-Mobile’s, could reveal their identity.

The judge has yet to respond to the objection, but whether or not the hacker becomes known, Café Melo has had to rebuild by piecing back together its contracts, re-establishing contact lists, and reaffirming customer relationships.

For a small business that ran its daily operations through a single inbox, recovery has meant starting over with the basics: recreating its digital identity from scratch to keep its doors open.

Account protection checklist

IT operations

• Enable MFA on every business email account, SaaS subscription, or other third-party service account. Ensure MFA works by testing it today on one Gmail or M365 account.
• Standardize subscription ownership by mapping each critical SaaS/email account to a responsible team or manager. Review this mapping every six months.
• Verify that recovery phone numbers and backup emails are current and owned by the business accounts, not individual, personal accounts.
• Export a copy of your critical email data or enable automated backups.

GRC and compliance staff

• Document clear procedures for onboarding and offboarding employees to email and subscription accounts, ensuring every request is ticketed and logged.
• Maintain an inventory of all critical SaaS/email subscriptions, noting contract owners, data sensitivity, and compliance obligations (e.g., GDPR, HIPAA, SOX).

Security architects

• Establish centralized log collection for subscription services and email platforms, feeding into a SIEM for correlation and threat detection.
• Deploy DMARC, DKIM, and SPF across all domains to prevent email spoofing and enhance trustworthiness of business-critical communications.
• Configure conditional access policies (e.g., block legacy protocols, restrict by device posture, enforce geo-location restrictions) for email and high-value subscriptions.

CISOs and security leaders

• Mandate periodic reporting on the security posture of business-critical email and SaaS accounts (e.g., MFA adoption rates, number of unclaimed/unused subscriptions).
• Champion a culture where critical subscription ownership is treated as a governance responsibility, not just a technical one, ensuring accountability at the leadership level.

Next step: Prevent account takeovers before they start

Email compromise is often the first domino in business disruption. ThreatLocker Cloud Detect continuously monitors Microsoft 365 for suspicious sign-ins, leaked credentials, and impossible travel. By catching anomalies early, Cloud Detect gives you the time to secure accounts before attackers can lock you out or wipe your data.  

Learn more about Cloud Detect

‍