Google confirmed that hackers are gaining access to Gmail accounts, and the company strongly recommends that Gmail users change passwords without delay. Attackers steal weak credentials through fake sign-in pages and use advanced phishing methods to trick people into sharing two-factor authentication codes. Many intrusions bypass SMS-based security, which highlights why stronger protections are necessary.
This month warnings circulated that 2.5 billion Gmail accounts face higher risk after a breach of Google’s Salesforce database. At the same time, scammers pretending to be Google employees are contacting users through phone calls and emails, creating believable traps by using AI-driven scripts. These scams demonstrate why passwords must be replaced and why account security upgrades can no longer wait.
Google’s research shows that only 36 percent of users update their passwords regularly. That means most accounts remain vulnerable. If you have not changed your Gmail password this year, you should act now. Create a unique password with a reliable standalone password manager and avoid using the same password across multiple accounts. Criminals test stolen passwords on Amazon, PayPal, and other services, hoping to exploit users who repeat credentials.
Beyond changing passwords, Google recommends adopting passkeys as the default sign-in method. Passkeys use cryptographic keys instead of words, making them much harder to compromise. If a login screen still requests a password after you set a passkey, treat it as a clear phishing attempt. Google also urges users to replace SMS authentication with authenticator apps, which provide stronger defense.
Reports indicate that while the Salesforce hack did not leak passwords, it exposed customer and company data. That data already fuels phishing attempts. Reddit users describe suspicious calls from people posing as Google staff and strange “mail delivery subsystem” messages that mimic Gmail alerts. Attackers hope that panic drives users to click links and enter login details.
The safest approach is simple. Never sign in through an email link. Instead, go directly to your Google account settings and check your security activity there. To remain safe, Gmail users should follow three critical steps. First, change passwords immediately. Second, enable passkeys and use them as the primary login method. Third, replace SMS-based 2FA with an authenticator app.
Following these measures reduces the risk of hacking and protects both personal and professional accounts. With billions relying on Gmail each day, the guidance is urgent. The most effective step right now is clear: Gmail users change passwords and secure accounts against the rising wave of attacks.
READ: Android 16 Intrusion Detection Boosts Security with Encrypted Logs
