How a hacker deleted one Gmail account and disrupted an entire business

Grow Universe Inc., better known to customers as Café Melo, is a Harlem event space at 53 East 131st Street. The company relied on a single Gmail account to run its daily operations, but in the early hours of February 14, 2025, the company’s CEO Dwight Smith began receiving security alerts from Google.  

One after another, they showed the recovery phone number had been removed, the backup email swapped, the password reset, and the account name changed.

By the next evening, the Gmail inbox that served as the hub of business operations was gone. The account had contained years of records, contracts, and business correspondence, along with the contacts that connected Café Melo to its customers and vendors.  

Legal action follows business disruption  

The deletion triggered a lawsuit filed against an unknown hacker in the Southern District of New York. Smith’s lawyers obtained subpoenas to Google, Spectrum, and T-Mobile, and confirmed what Smith already knew: the account was not just locked but permanently deleted.  

The case highlights a reality many small businesses overlook: A Mastercard survey of more than 5,000 small and medium-sized business owners across four continents reveals that 46% have experienced a cyberattack on their current business. Of those that suffered an attack, nearly one in five then filed for bankruptcy or closed their business.

Café Melo’s loss shows what can happen when a single account becomes the backbone of operations.  Basic account management and cybersecurity hygiene could have prevented this scenario. For businesses without in-house IT staff, the most practical safeguard is working through a managed service provider (MSP). MSPs can deploy enterprise-grade tools like ThreatLocker to small and midsize companies, providing controls that prevent unauthorized changes to connected cloud environments, alert against suspicious domain account behavior, and make it far harder for an attacker to leverage a compromised account.

Delayed reaction due to fake notices

Meanwhile, Smith and his attorneys are still fighting for justice for the alleged threat actor.  

After the account deletion, fraudulent emails posing as official Google notices further complicated recovery efforts. One message, styled as a “Google Account Termination Final Report,” convinced Smith for days that he was corresponding with the company itself. Google later confirmed those emails were counterfeit, likely created by the same hacker to obscure their identity.

Google has produced logs showing multiple devices and IP addresses tied to the hijacked account. Spectrum and T-Mobile were ordered to disclose subscriber information linked to those logins.  

Hacker remains anonymous

But the effort to unmask the hacker has met resistance: this month, an anonymous individual represented by attorneys formally objected to the Spectrum subpoena—one of the orders that, along with T-Mobile’s, could reveal their identity.

The judge has yet to respond to the objection, but whether or not the hacker becomes known, Café Melo has had to rebuild by piecing back together its contracts, re-establishing contact lists, and reaffirming customer relationships.

For a small business that ran its daily operations through a single inbox, recovery has meant starting over with the basics: recreating its digital identity from scratch to keep its doors open.

Want to safeguard your business assets?

Check out our free in-depth webinar series 100 days to secure your environment and get a step-by-step action plan that leaves no stone unturned!