Google Confirms Gmail Data Breach Warning Is Fake News
The stories are not true — Google responds.
dpa/picture alliance via Getty Images
Republished on September 1, with Google issuing a formal denial as viral headlines get “out of hand.” This story was originally published on August 31.
There is a viral story (1,2,3) suggesting Google has issued an emergency warning to all 2.5 billion Gmail users with accounts at risk following its recent Salesforce breach. The only problem is the story is completely misleading – there is no such warning.
Google has now responded, telling me that “unfortunately, several inaccurate claims surfaced this week incorrectly claiming we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false.”
The company is concerned that the viral nature of the story is creating a “dangerous” sense of panic amongst users. “While it’s always the case that phishers are looking for ways to infiltrate inboxes,” I was told, “our protections continue to block more than 99.9% of phishing and malware attempts from reaching users.”
That doesn’t mean Google and Gmail account are not at risk — of course they are. They remain a prime target for phishing and other attacks — but that’s business as usual. They are not at risk en masse because of a data breach within its B2B ad systems.
Google offers a raft of protections you can apply to your accounts — all of the Google platforms you use, and those you access with your sign-in with Google credentials. That makes it critically important to ensure your account security is robust.
That’s why the company recommends passkeys and a strong form of two-step verification, which means anything but SMS one time codes. An authenticator app is best. But it’s passkeys that are the real stronghold for accounts. They can’t be bypassed or stolen, and they ensure only someone with physical access to your unlocked devices can access your accounts — they can’t be stolen or used remotely. You should also ensure you have a strong, unique password that’s not reused anywhere else.
“We want to reassure our users that Gmail’s protections are strong and effective,” the company says in the wake of this misleading story doing the rounds. It points users to its guidance on phishing attacks and available remedies.
Come Monday, the stories about the worldwide, emergency Gmail data breach story continues to come. It dominates newsfeeds for Google and Gmail. Google now says the Gmail data breach stories “have gotten so out of hand,” that it has taken the extreme and unusual step of publishing an official denial.
“Gmail’s protections are strong and effective, and claims of a major Gmail security warning are false,” the company posted on Monday.
“We want to reassure our users that Gmail’s protections are strong and effective. Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false.”
The company added that “while it’s always the case that phishers are looking for ways to infiltrate inboxes, our protections continue to block more than 99.9% of phishing and malware attempts from reaching users.”
Google says “security is such an important item for all companies, all customers, all users — we take this work incredibly seriously. Our teams invest heavily, innovate constantly, and communicate clearly about the risks and protections we have in place. It’s crucial that conversation in this space is accurate and factual.”
That said, business as usual attacks remain a risk, and so “best practices for additional protection, we encourage users to use a secure password alternative like Passkeys, and to follow these best practices to spot and report phishing attacks.”
Bottom line — there is no large scale Gmail data breach or mass warning for 2.5 billion users worldwide. A number of separate stories have been conflated into a data breach that never was, and users are understandably alarmed. Don’t be.