Google Confirms Most Gmail Users Must Upgrade All Their Accounts

Most accoiunts need an upgrade, says Google.
Republished on June 21 with new advice after “record breaking” security alert.
Google has confirmed another atack on Gmail users this week. Yet again, its own infrastructure has been exploited to compromise user accounts. And yet again, it comes with another warning for users to upgrade their accounts — this is now a must.
Earlier this month, I covered Google’s warning that most of its users still only use basic password security and are wide open to data breaches and attacks. “We want to move beyond passwords altogether,” Google said, pushing users to replace them.
Passkeys, it says, “are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.” Put simply, this links account security to hardware security, and means there are no passwords to steal or two-factor authentication (2FA) codes to bypass or intercept.
While that is critical for Gmail users, it’s actually much wider. Google reached out to me after that article, to emphasize that the benefits are more significant for users: Adding a passkey to a Google account protects all the services and accounts that can be accessed by that sign in. Conversely, not doing so leaves all those other accounts at risk.
Even if most user accounts were secured by passwords and 2FA codes, there would still be a push to passkeys. And while Google, Microsoft and others make 2FA mandatory, the reality is that there’s still a risk that codes can be shared even if they can’t be stolen. That was the crux of the latest Gmail attack, tricking users into sharing codes.
Scams and Protections (June 2025)
The raft of headlines around a new 16 billion record data breach should focus minds, even if “this is not a new data breach, or a breach at all,” says Bleeping Computer. “The websites involved were not recently compromised to steal these credentials.”
Mashable agrees. “Some commentators were quick to call it the largest password leak in history, and in terms of raw records exposed, that’s mostly, technically true. However, these records did not come from a single breach — or even a new breach. Instead, they came from many smaller ones,” with “the end result more a ‘greatest hits’ rather than a new, noteworthy hack.” Albeit that doesn’t change the fact the data is out there.
Kaspersky says “the journalists haven’t provided any evidence of existence of this database. Therefore, neither Kaspersky’s experts nor anyone else has managed to analyze it. Therefore, we cannot say whether yours – or anyone else’s – data is in there.”
But, regardless, Google’s latest survey still paints a bleak picture. Although “60% of U.S. consumers say they “use strong, unique passwords,” less than 50% “enable 2FA.”
The truth is that the only form of simple 2FA is SMS codes, which are sent quickly without having to exit the app or click or tap. They even autofill and often auto-delete. But SMS is woefully insecure, it’s the worst possible 2FA option. And anything else — authenticator apps, physical keys, even trusted device or app sign-ins — is more painful.
Passkeys are the opposite. They’re even easier than passwords and SMS 2FA. The code (which you never see) combines your login ID, password and 2FA into a simple sign-in process authenticated by your device security — ideally biometrics. And because there is no code you can see or copy, you can’t share the passkey even if you want to. Even if any of the underlying code is stolen, it only works on your actual device.
Google is right — this is about much more than Gmail, even if those email account attacks generate headline after headline. While there are some misgivings about the dominance and data overreach in big tech using its span of control to sign you into multiple services, even those they don’t own or control, it is more secure.
As Kaspersky suggests, “let’s set skepticism aside. Yes, we don’t reliably know what exactly this leak is, or whose data is in it. But that doesn’t mean you should do nothing. The first and best recommendation is to change your passwords,” which is an obvious immediate step. But it doesn’t solve the problem.
“Use passkeys wherever possible,” Kaspersky also tells users. “This is the modern passwordless method of logging into accounts, which is already supported by Google, iCloud, Microsoft, Meta and others.”
As Google says, “when you pair the ease and safety of passkeys with your Google Account, you can then use Sign in with Google to log in to your favorite websites and apps — limiting the number of accounts you have to maintain.”