Google has confirmed that hackers are actively gaining access to Gmail accounts, with compromised passwords behind a significant number of successful intrusions. The tech giant has now issued a critical warning — most Gmail users must change their passwords and strengthen account security to stay protected.
Gmail Users at Risk After Google Database Hack
This month, multiple reports revealed that all 2.5 billion Gmail users could be at risk following a breach of Google’s Salesforce database. Hackers are also using phishing scams, fake Google support calls, and even AI tools to trick users into revealing credentials.
Google has acknowledged that scammers are impersonating support staff, targeting account holders through emails, phone calls, and fake login pages designed to steal passwords and bypass two-factor authentication (2FA).
Why Passwords Alone Are No Longer Safe
Before these recent attacks, Google had already urged users to upgrade account security with stronger measures such as:
- Passkeys (recommended default sign-in method)
- Two-factor authentication (2FA) without SMS
- Regular password updates
However, the majority of users still rely solely on passwords. Google’s data shows that only 36% of Gmail users regularly update their passwords, leaving accounts exposed to phishing and brute-force attacks.
How to Secure Your Gmail Account Now
If you haven’t updated your Gmail password this year, do it immediately. Security experts recommend the following steps:
- Change your Gmail password now — use a unique, strong password generated by a standalone password manager (not Chrome or browser-based).
- Enable passkeys — set a passkey as your default sign-in method. If any login page still asks for a password, treat it as a red flag.
- Switch to authenticator-based 2FA — avoid SMS codes, which can be intercepted.
- Never sign in through emailed links — always access Gmail directly via mail.google.com or the official Google app.
- Regularly review account security — go to your Google Account > Security > Review Security Activity.
Latest Reports of Gmail Attacks
According to PC World, Google has confirmed that while customer and company names were leaked in the Salesforce breach, passwords were not directly exposed. Still, attackers are leveraging the stolen data to power phishing campaigns.
Reddit users have already reported phishing attempts disguised as Google security alerts and “mail delivery subsystem” emails. Security experts warn these are spoofed messages designed to trick users into entering login details.
Final Warning for Gmail Users
With phishing and credential-stealing attacks rising, Google stresses that passwords remain an inherent weakness unless replaced with passkeys. Until then, changing passwords, enabling 2FA, and defaulting to passkeys are the only effective defenses against account hijacking.
👉 If you receive suspicious emails or calls claiming to be from Google, do not click links or share login details. Instead, verify directly through your Google Account security settings.