Change your password now.
dpa/picture alliance via Getty Images
Google has confirmed that hackers are gaining access to Gmail accounts, and that compromised passwords are behind a significant number of “successful intrusions.” But there’s a separate warning from the tech giant that must now be addressed — most Gmail users must change their passwords to secure their accounts.
This month we have seen a raft of warnings (1,2,3) that “all 2.5 billion Gmail users are now at risk” after Google’s own Salesforce database was hacked. We have also seen the latest warnings (1,2) that scammers pretending to be Google support staff are targeting account holders via emails and calls, using Google’s own AI to help do so.
Before this latest set of hacks and warnings, Google had already warned that most account holders need to upgrade the security on those accounts. That means using a form of two-factor authentication that’s not SMS, and even more critically adding a passkey to accounts and then using that as the default form of sign-in.
But most users do not yet have passkeys on their accounts and still rely on passwords, perhaps with some rudimentary form of 2FA. All these attacks lead to fake sign-in pages that steal your password, and sometimes add an additional step to either trick you into sharing a 2FA code or to bypass the need for that 2FA code completely.
Bad password habits.
Google / Morning Consult
You can read more about strong, more difficult to hack passwords here. But as recent Amazon and PayPal attacks also highlight, if you don’t set strong passwords and if you use those passwords across multiple accounts, then you’re at serious risk.
Google confirms that only 36% of users “regularly update passwords.” That means most users need to update passwords now and to do so regularly. While adding and defaulting to passkeys is critical, unless passwords are deleted completely — as Microsoft suggests — then password access remains an inherent account weakness.
If you haven’t changed your Gmail password this year, then do that now. Use a standalone password manager — not one built into Chrome or any other browser — to choose and save a new password. Then change your 2FA to an authenticator app.
Obviously add a passkey if you don’t have one. And then stick rigidly to the use of that passkey. If any sign-in window asks for a password on a device with a passkey, that’s a red flag. And never sign-in via a link, even if that link seems to come from Google.