Change your password now.
dpa/picture alliance via Getty Images
Google has confirmed that Gmail is under attack. But not because a recent breach leaked user passwords. Gmail was under attack before and nothing has changed.
Google tells me Google Cloud and Gmail data was not affected in the Salesforce breach, and certainly not all 2.5 billion users as some headlines suggest. But the company also says all users should upgrade the security on their Gmail accounts to add passkeys.
With ironic timing, the team at SquareX has just issued a passkey warning, with a proof of concept to show how malicious browser extensions can hack the passkey creation and authentication process. But that’s just a POC and has not yet been exploited. There are no proven, successful passkey attacks in the wild that we’ve seen.
Google has also confirmed that most users do not change passwords as often as they should — if ever, especially as many of those passwords are reused across multiple accounts. But putting all that together, users are asking if they add a passkey, why they still need to worry about a password and whether or not it is changed?
The answer is simple. Even if you add a passkey and default to that when you log in, the password on your Gmail account is still a valid credential to access that account. If the password is stolen or leaked, then an attacker can access your account. Even if you have added and use a passkey on your own devices.
Change your password now.
Google/Morning Consult
That’s why Microsoft warns its own account holders that “if a user has both a passkey and a password, and both grant access to an account, the account is still at risk.” It wants “to remove passwords completely” and use only passkeys or equivalents.
Google isn’t there yet — and so the Gmail password access remains in place. The best advice is to change your password now to something long, unique and complex. Use a standalone password manager (from a reputable developer) to make that easy.
Even with a new, robust password, you also need the strongest form of two-factor authentication you can access. And for most that means an authenticator app, which links to your device (rather like a passkey) and gives you a continually changing PIN to use instead of an SMS one-time code. Don’t use SMS. It’s too easily breached.
That’s why, despite Google’s upgraded account security, you still need to worry about your password. There isn’t a huge new wave of Gmail attacks, but the reality is that Gmail accounts are under constant attack. Make sure you secure your own.