Google is urging Gmail users to change their passwords after confirming that a large number of account details have leaked and are at high risk of phishing. Google’s Salesforce database, which holds over 2.5 billion accounts, may have been hacked after recent attacks.
Google has confirmed to PC World that although general data like customer and company names were leaked, passwords are safe. While it's definitely a sigh of relief, attackers could now target users with phishing links. Phishing is where attackers trick users into entering their credentials on fake websites to steal their logins.
In some cases, attackers have also attempted to capture or bypass two-factor authentication codes, giving them full access to accounts. Google cites that weak or outdated passwords, alongside users repeatedly using the same password across services, are being exploited.
The firm has stressed that while passkeys and hardware-based authentication provide much stronger protection, users relying on passwords must update them as soon as possible and make it a practice. Besides, it has also advised activating app-based two-factor authentication and moving away from SMS-based ones.
Users can also add a passkey to their accounts and make it the default login method for stronger protection. Any login screen that requests a password when a user has already set up a passkey should be treated as suspicious.
All in all, the message is loud and clear – Gmail users need to act immediately and change their passwords. Additionally, they should also enable an authenticator-based 2FA and enable passkeys to secure their accounts.
We strongly recommend that users be vigilant while signing into their Google account. Enable Android's latest Advanced Protection Mode and head over to the security checkup to check for any vulnerabilities or funny login attempts to your account.
