Google Confirms Most Gmail Users Must Upgrade Accounts
Change your account now.
Republished on June 8 with a new warning into Google account attacks.
Your email is under attack. You know this, of course, but Google just confirmed that 61% of email users have been targeted by attacks. If that sounds alarming, the situation with text messaging is even worse, hitting almost all American phone users.
Google also warns that more than 60% of U.S. users saw “an increase in scams over the past year,” with more than half “personally experiencing a data breach.” While these numbers are “far from surprising,” Google says, what is surprising is that almost all users are yet to upgrade their accounts to make them safer and more secure.
Most users, Google says, “still rely on older sign-in methods like passwords and two-factor authentication (2FA),” despite the push to upgrade accounts to passkeys as well as social sign-ins, which use authenticated platforms like “Sign in with Google.” This doesn’t just impact Gmail, it covers all your Google services and anywhere you sign in with your Google account. Upgrading your account security applies everywhere.
The situation is slightly more promising with younger users. “Digitally-native Gen Z users are bypassing outdated security norms like passwords, opting for more advanced authentication tools.” Google says this generation is “more reliant on passkeys or social sign-ins,” albeit they’re also more likely to reuse and less likely to change passwords.
Google warns “passwords are not only painful to maintain, but are also more prone to phishing and often leaked through data breaches.” And that’s the real issue. “It’s important to use tools that automatically secure your account and protect you from scams,” Google tells users, and that means upgrading account security now.
Google says “we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.” That includes social sign ins, but mainly it means passkeys. “Passkeys are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.”
Adding a passkey to your Google account also means “you can rely on just your Google Account to log in to your favorite websites and apps — limiting the number of accounts you have to maintain.” Put more simply, because passkeys link to your hardware — primarily your phone, this secure device becomes a digital key for all critical accounts.
The importance of acting quickly has been reinforced in the latest report from the team at Check Point. “Breaches are not a matter of if but when, which is why relying solely on passwords is a dangerous oversight… If you think your users’ passwords are secret, think again. Credential dumps from breached companies are traded daily on the dark web. Password reuse is rampant. Phishing attacks are more sophisticated than ever, and employees are fallible — always have been, always will be.”
As Check Point says, “attackers don’t ‘hack’ most systems today. They log in using stolen credentials obtained through phishing, social engineering, credential stuffing, or simple brute force attacks. Once inside, they move laterally, escalate privileges, and exfiltrate data, often going unnoticed for months.”
Per the FIDO Alliance, the answer is passkeys. “Passkeys are phishing resistant and secure by design. They inherently help reduce attacks from cybercriminals such as phishing, credential stuffing, and other remote attacks. With passkeys there are no passwords to steal and there is no sign-in data that can be used to perpetuate attacks.”
“Passkeys are a replacement for passwords,” FIDO says. “A password is something that can be remembered and typed, and a passkey is a secret stored on one’s devices, unlocked by the user the same way they unlock their device. Unlike passwords, passkeys are resistant to phishing, are always strong, and are designed so that there are no shared secrets. Passkeys simplify account registration for apps and websites, are easy to use, work across all of a user’s devices, and even other devices within physical proximity”
As attacks on Google accounts spiral, it becomes ever more critical to add a passkey and then to avoid using your password and any form of 2FA on any website unless there is no option. And if that is ever the case, you need to make sure you have accessed that website directly from usual channels or your apps, not from any link or message.
As Black Duck’s Thomas Richards told me, “It’s very difficult for end users to identify browser-based phishing attacks since they are mostly using trusted services. Before proceeding with account creation, or entering credentials on an unknown website, it’s best to do some research to ensure that it is the original website and not a forgery. This can be accomplished with an internet search as the search providers have done a good job of not allowing malicious sites to be listed in the top results.”
Per ABC News, “Gmail, Google Calendar, and Google Meet are all useful tools, but now cybercriminals are finding ways to mimic them. It’s not just another spam text or email. They are sophisticated phishing links which could be placed into popular Google tools like Google Calendar and Google Meet, all of it to deceive and defraud.” It’s no surprise Google is pushing passkeys and emphasizing protection across its account ecosystem.
“If you have a smartphone, an email address or even just regularly use social media,” Google says, “you’re probably seeing a lot more scams these days. Don’t worry, you’re not paranoid — and you’re not alone. The FBI says online scams raked in a record $16.6 billion last year — up 33% in just one year — and they’re growing more sophisticated.”
Microsoft has gone further than Google and is pushing users to delete passwords, given they present an account vulnerability if still in place. “At Microsoft, we block 7,000 attacks on passwords per second—almost double from a year ago. At the same time, we’ve seen adversary-in-the-middle phishing attacks increase by 146% year over year.”
While you can’t do that with your Google account today, you can avoid using your password and you can change 2FA to remove SMS and only use options linked to your devices — authenticator apps or Google prompts. Google does say passwords will eventually go and it will turn to them less and less, but you can accelerate an upgrade to your own account now. As Google suggests, make those account changes today.