Change your password now.
dpa/picture alliance via Getty Images
Republished on August 25 with new attack reports and advice to users.
Google has confirmed that hackers are gaining access to Gmail accounts, and that compromised passwords are behind a significant number of “successful intrusions.” But there’s a separate warning from the tech giant that must now be addressed — most Gmail users must change their passwords to secure their accounts.
This month we have seen a raft of warnings (1,2,3) that “all 2.5 billion Gmail users are now at risk” after Google’s own Salesforce database was hacked. We have also seen the latest warnings (1,2) that scammers pretending to be Google support staff are targeting account holders via emails and calls, using Google’s own AI to help do so.
Before this latest set of hacks and warnings, Google had already warned that most account holders need to upgrade the security on those accounts. That means using a form of two-factor authentication that’s not SMS, and even more critically adding a passkey to accounts and then using that as the default form of sign-in.
But most users do not yet have passkeys on their accounts and still rely on passwords, perhaps with some rudimentary form of 2FA. All these attacks lead to fake sign-in pages that steal your password, and sometimes add an additional step to either trick you into sharing a 2FA code or to bypass the need for that 2FA code completely.
You can read more about strong, more difficult to hack passwords here. But as recent Amazon and PayPal attacks also highlight, if you don’t set strong passwords and if you use those passwords across multiple accounts, then you’re at serious risk.
Google confirms that only 36% of users “regularly update passwords.” That means most users need to update passwords now and to do so regularly. While adding and defaulting to passkeys is critical, unless passwords are deleted completely — as Microsoft suggests — then password access remains an inherent account weakness.
If you haven’t changed your Gmail password this year, then do that now. Use a standalone password manager — not one built into Chrome or any other browser — to choose and save a new password. Then change your 2FA to an authenticator app.
Bad password habits.
Google / Morning Consult
Obviously add a passkey if you don’t have one. And then stick rigidly to the use of that passkey. If any sign-in window asks for a password on a device with a passkey, that’s a red flag. And never sign-in via a link, even if that link seems to come from Google.
The new week has started with no let up in warnings for Gmail users. Per PC World, “Google has confirmed the attacks and states that general data like customer and company names were leaked, but not passwords.” This means “users of Google services—including Gmail and Google Cloud—are now at risk of falling victim to phishing.”
PC World reports that “initial reports of attempted attacks have already been seen on Reddit, which are likely related to the data leak. Users describe how alleged Google employees have contacted them by phone to inform them of a security breach.”
A typical Redditor post, aded Monday, warns “this is the second time this email has sent a mail delivery subsystem email to me this week. I changed my password after the first time to be safe and didn’t click on the link. Assuming it’s phishing?”
A response to the post suggests “it’s a new spam technique they spoof your email and send to google.com so you get the failure which included spam.”
Regardless, if you stick to the rules and don’t respond to such emails and never use an emailed link to sign-in, you won’t be caught out. If you fear an account security issue, go to your Google account and click on Security—Review Security Activity.
