Google Confirms New Attack—Stop Using Your Passwords Now
Accounts are under attack
You need to take Google’s warning seriously. You need to stop using your password and change your account. Past advice is no longer valid and leaves you at risk. As multiple attacks are confirmed, doing nothing is no longer an option.
“We constantly roll out defenses against these types of attacks,” Google assured, as it confirmed a password attack on Instagram boss Adam Mosseri. Just as we have seen with the recent “no-reply” and “sites” hacks, this used legitimate Google infrastructure to legitimize malicious emails, forms and websites, enabling the threat.
Google warns users it “never call you about your account.” These latest attacks all start with a phone call pretending to come from Google’s support desk, usually spoofing the number and other details to appear legitimate. Google also advises users to add passkeys to their accounts as “the strongest protection against threats.”
Passkeys link your account sign-in to your physical devices, letting you “sign in to your Google Account with your fingerprint, face scan, or phone screen lock, like a PIN.” But Google also warns that “if you add a passkey to your Google Account, it won’t change or remove any authentication or recovery factors you currently have on your account.”
That’s critical. Microsoft warns “if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing.” Microsoft wants users to delete passwords, but Google is keeping passwords as a backup to passkeys. You can’t delete your Google password, but there’s something you can and must do.
In your Google account settings, you will see multiple “2-Step Verification” options: passkeys and security keys; Google app prompts; authenticator apps; backup codes and phone numbers. While an attack can trick you into entering an authentication code into a fake sign-in page, the codes cannot by intercepted or bypassed. With one exception.
This is the change you need to make. It’s very likely you have added your phone number as a 2-Step Verification option. Google says it “will use this number to help you sign in and to alert you if there’s unusual activity in your account.” But it also means it will send authentication codes to your phone by text or voice. And that’s dangerous.
SMS two-factor authentication is high-risk, such codes can be read by malware on-device or network-level interception. That’s why America’s cyber defense agency warns “do not use SMS as a second factor for authentication.” CISA says “SMS messages are not encrypted — a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them.”
You should use other 2-Step Verification options if you ever need to use your password. An authenticator app, Google prompts and even stored or printed backup codes are fine. Ensure one or more of those are set, and then delete any phone numbers includes in the 2-Step Verification option. You can click the delete icon next to each number.
As for the account recovery use of a phone number, in the main account setting menu there is a “Recovery Phone” option “used to reach you in case we detect unusual activity in your account or you accidentally get locked out.” Make sure your number is stored here, even if is not stored as a 2-Step Verification second step.
The main advice is never to use your password even with 2-Step Verification unless there is no option. Use passkeys instead — that stops the attacks. It’s passwords that are being stolen, with 2-Step Verification if attackers can trick users into giving them away. That’s not a risk with passkeys — there are no codes to share. If necessary, only ever use your password in an app or website you access directly and not via a link.