Change your Gmail password now — Google warns users.
It’s official: Google accounts are under attack, and those attacks have spiked by an incredible amount. According to Google itself, it observed an 84% increase in Gmail two-factor authentication bypass attacks across 2024 and has now confirmed that this ”has only intensified in 2025.” When it comes to the bigger picture, phishing and credential theft are now behind more than a third of all successful Google account attacks. But Google has been fighting back, and a July 29 announcement outlines a new security protection being offered to some, along with a warning for all users to change their passwords now.
Change Your Gmail Password Now As Attacks Escalate
It is always refreshing to hear the largest of tech companies being honest about the security challenges they face, and Google certainly falls into this category. More so when you are talking about Gmail, with some 2.5 billion users worldwide, and under constant attack, like all large email platforms, from threat actors looking to compromise accounts.
“Attackers are intensifying their phishing and credential theft methods,” Andy Wen, senior director of product management at Google has warned, “which drive 37% of successful intrusions.” What’s more, Wen continued, “we’ve seen an exponential rise in cookie and authentication token theft as a preferred method for attackers.” Thankfully, the Google announcement does not stop there. Instead, it shares account security enhancements to mitigate just these types of attacks.
While the Google announcement itself is directed at Google Workspace customers specifically, the first of the recommendations forms a warning that all 2.5 billion Gmail users should heed: update your account from using a password to a passkey. The “enhancement” that Google is referring to here is that such passkeys support is now available, with “expanded admin capabilities to audit enrollment and restrict passkeys to physical security keys,” to more than 11 million Google Workspace customers. That’s important, of course, but please make the change from password to passkey regardless of whether you are using a paid-for or free Gmail account. The attackers, I can assure you, couldn’t care less.
The other advice is strictly for those Workspace customers, however, and comes by way of an open beta of Device Bound Session Credentials to protect against those 2FA cookie bypass attacks mentioned earlier, as well as another beta, a shared signals framework, that will be offered to “select customers and partners” later this year.
“These advancements can meaningfully enhance account security,” Wen said, “marking a major step forward in defending against account takeovers for Google Workspace customers.”
Device Bound Session Credentials provide users with enhanced post-authentication protection, Wen explained, by helping to ensure that only the originating device can access the active session which, therefore, reduces the risk of cookie theft and 2FA bypass. DBSC also provides stronger sessions integrity, Google said, by bolstering protections with “more granular account attributes when used together with context-aware access, even if an attacker obtains login credentials after the initial login.”
Why All Users Should Update Gmail Accounts To Use Passkey Protection
The benefits of passkeys compared to passwords are no secret, and have been put forward time and time again. Wen has reinforced the greater security that can be offered by making this one simple change: “Unlike passwords, which can be guessed, stolen, or forgotten, passkeys are unique digital credentials tied to a user’s device.”
Here are three reasons why Google wants all users to switch to passkey technology, and switch now:
- Passkeys are inherently more phishing-resistant because users cannot be tricked into handing over passkeys to a malicious actor.
- Signing in with passkeys is as simple as unlocking your device, such as using a PIN or biometrics, such as a fingerprint or facial recognition.
- Unlike passwords that are often reused, each passkey is unique and generated for each specific website or service.
So, what are you waiting for? Take note of the Google warning and update your Gmail account security now.