Google Issues Alert: Gmail Passwords and Accounts at Risk

Technology giant Google has issued a fresh security alert, revealing that cybercriminals are exploiting certain technical vulnerabilities in Gmail to carry out attacks. The company warned that these attackers are using highly convincing fake emails and phone calls to deceive users. In this context, Google urged users to stay alert and adopt stronger security practices. Specifically, it strongly recommended using passkeys instead of passwords for better account protection.

Google disclosed that cybercriminals have identified a technical flaw in Gmail and manipulated it for malicious purposes. Using artificial intelligence (AI), these attackers are sending emails—and at times making phone calls—that appear to originate from Google itself. Alarmingly, some of these counterfeit emails contain a valid DKIM (DomainKeys Identified Mail) signature, making them seem authentic and increasing the likelihood that users might trust them.

The company cited a recent incident in which a developer received a fraudulent “legal notice” email, believing it was genuinely from Google. The primary aim of these deceptive actions is to steal users' login credentials—usernames and passwords—and thereby gain access to their personal information. In some instances, hackers have reportedly taken full control of user accounts, including changing passwords and recovery options.

Google expressed concern that traditional security measures like passwords and SMS-based two-factor authentication (2FA) are no longer sufficient. These methods are increasingly vulnerable to attacks, the company noted. Therefore, Google strongly recommended moving away from password-based authentication in favor of the more secure "passkey" system.

A passkey is a secure method that allows users to log in using fingerprint recognition, face recognition, or a PIN on their specific device—such as a phone or computer. Google assured that this approach offers significantly better protection against phishing attacks.

To enhance account security, Google has advised users to follow these key recommendations:

Set up Passkeys: Set up a passkey for your Gmail account as soon as possible.

Use Google Prompt: Instead of SMS-based verification, use ‘Google Prompt’—a notification-based login approval system on your phone.

Update Recovery Details: Link a recovery phone number and recovery email to your account, and ensure they are kept up to date.

Exercise Caution: Avoid clicking on suspicious or unexpected email links under any circumstances.

Change Your Password: As an immediate precaution, update your Gmail password without delay.

Google confirmed that it has released the necessary security updates as soon as this cyberattack was detected. However, experts stress that user vigilance and adherence to recommended security measures are vital for personal protection.