Google Confirms Gmail Update—Stop Using Your Password Now
Gmail is under attack
Here we go again. Google has confirmed another attack on Gmail users that combines inherent vulnerabilities in the platform with devious social engineering. The net result is a flurry of headlines and viral social media posts followed by an urgent platform update. Google’s security warning is clear. Users should stop using their passwords.
This latest attack has been bubbling on X and in a number of crypto outlets given the victim was an Ethereum developer. Nick Johnson says he was “targeted by an extremely sophisticated phishing attack,” one which “exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more.”
The attack started with an email from a legitimate Google address warning Johnson that it has been served with a subpoena for his Google account. “This is a valid, signed email,” Johnson says, “sent from no-reply@google.com. It passes the DKIM signature check, and Gmail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts.”
This is clever, and technically the attackers have exploited a way to send a correctly titled Google email to themselves from Google, which they can then forward to others with the same legitimate DKIM check even though it’s a copy of the original. But the objective is more simple. A credential phishing page that mimics the real thing.
“We’re aware of this class of targeted attack,” Google has now confirmed in a statement, “and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”
That’s all that matters. Stop using your password to access your account, even if you have two-factor authentication (2FA) enabled and especially if that 2FA is SMS-based. It’s now too easy to trick you into giving up your login and password and then bypassing or stealing the SMS codes as they come into your device. There’s nothing to stop an attacker using your password and 2FA code on their own device.
What does stop them is a passkey. This is linked to your own physical device and requires your device security to unlock your Google account. That means if an attacker does not have your device they can’t login. While Google has not yet gone as far as deleting passwords completely — which is Microsoft’s stated intention, you will know not to use your password to sign-in which will stop a malicious phishing page stealing it.
The cleverness in this latest attack added to others we have seen in recent months is easily thwarted by updating your account security. These attacks are getting ever more sophisticated, and AI will enable this level of “targeting” to be done on a massive scale. As Microsoft warns, “AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate.”
You can find details on adding a passkey your Google account here.