A Google confirmed that Gmail passwords are being actively exploited by attackers, and most users have not yet adopted stronger login protections. The recommendation now is that users change their passwords and activate additional security mechanisms.
Following recent attacks, Google now recommends that account holders change their Gmail passwords. Many successful intrusions resulted from reused or exposed credentials. A major breach reportedly involved Google's own Salesforce database, generating further alarm. As phishing campaigns increase, even users with two-factor authentication (2FA) remain vulnerable, especially if they rely on SMS-based codes.
Google isn't just asking users to reset their Gmail passwords. It wants everyone to adopt passkeys or device-based two-factor authentication (2FA) as a login method. These options reduce the risk of phishing by eliminating the need to enter passwords. Previously, Google made passkeys the default login method. Even so, many continue to rely on outdated passwords and verification tools.
Cybercriminals have become more convincing in their Gmail attacks. Posing as Google support, they trick people into entering their login details on fake websites. Some schemes even include spoofed phone calls or AI-generated emails to increase urgency.
Attackers no longer need to break encryption. They just need to trick the user. Therefore, Google recommends that users go beyond simple password-based logins. Enabling a passkey or using an authenticator app is now considered essential. At the same time, users should be wary of suspicious messages that mimic real security warnings.
The recommendation is obvious and even logical. For those who still only use a password and an SMS code for Gmail, it's time to change. Google has made its position clear and revealed that stronger protections are no longer optional.
