The stories are not true — Google responds.
dpa/picture alliance via Getty Images
There is a viral story (1,2,3) suggesting Google has issued an emergency warning to all 2.5 billion Gmail users that accounts are at risk following its recent Salesforce breach. The only problem is the story is completely misleading – there is no such warning.
Google has now responded, telling me that “unfortunately, several inaccurate claims surfaced this week incorrectly claiming we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false.”
The company is concerned that the viral nature of the story is creating a “dangerous” sense of panic amongst users. “While it’s always the case that phishers are looking for ways to infiltrate inboxes,” I was told, “our protections continue to block more than 99.9% of phishing and malware attempts from reaching users.”
That doesn’t mean Google and Gmail account are not at risk — of course they are. They remain a prime target for phishing and other attacks — but that’s business as usual. They are not at risk en masse because of a data breach within its B2B ad systems.
Google offers a raft of protections you can apply to your accounts — all of the Google platforms you use, and those you access with your sign-in with Google credentials. That makes it critically important to ensure your account security is robust.
That’s why the company recommends passkeys and a strong form of two-step verification, which means anything but SMS one time codes. An authenticator app is best. But it’s passkeys that are the real stronghold for accounts. They can’t be bypassed or stolen, and they ensure only someone with physical access to your unlocked devices can access your accounts — they can’t be stolen or used remotely. You should also ensure you have a strong, unique password that’s not reused anywhere else.
“We want to reassure our users that Gmail’s protections are strong and effective,” the company says in the wake of this misleading story doing the rounds. It points users to its guidance on phishing attacks and available remedies.