Google’s Gmail Warning—Change Every Password That’s On This List

Check your password now.

NurPhoto via Getty Images

Republished on August 10 with new warnings about AI hacking risks for Gmail users.

Google has confirmed that attacks on Gmail users to steal security credentials are now surging and are behind “37% of successful intrusions.” Put more simply, password theft is allowing hackers to gain access to accounts. This includes infostealer malware, “which is increasingly being used to enable intrusions using stolen credentials.”

Google warns users to upgrade the security on their accounts. This means always using a passkey or “Sign in with Google” instead of a password. It means never using a linked or popup sign-in window. But it also means using only strong, unique passwords and enabling a non-SMS form of two-factor authentication (2FA).

ForbesMicrosoft Sued For Killing Windows 10—All Users Must Act NowBy Zak Doffman

Google’s research finds most users are yet to add passkeys, even though “unlike passwords, which can be guessed, stolen, or forgotten, passkeys are unique digital credentials tied to a user’s device.” More worryingly, most users “still rely on older sign-in methods like passwords.” So, it’s critical those passwords are not a gift to hackers.

Hive Systems warns “password reuse, short character lengths, and weak complexity remain some of the easiest ways attackers gain access to systems.” The team has listed “time-to-crack estimates for passwords of various lengths and character sets.”

This guide shows why a combination of upper and lowercase letters, numbers and symbols is best. But only if it’s eight characters or more. It also takes a standalone “brute force” approach. But in the real world. an attacker does not start from scratch. That means the times to crack are much shorter — sometimes no time at all.

It doesn’t matter how long or complex your password. If it’s reused and has breached or been stolen, then all accounts with that same password will be at risk.

Take a look at NordPass’s top-200 most common passwords, a horror list now in its sixth year of shaming us all into better password hygiene. To assemble the data, “we analyzed passwords stolen by malware or exposed in data leaks,” the firm says.

If your password makes the list or is anything like one of those on the list, then change it now — right now. The combination of the NordPass and Hive Systems reports should explain exactly how to craft a good password. Better still, use a standalone (not browser-based) password manager to create strong, unique passwords for all accounts.None of this changes the most critical advice though. Add a passkey to your Google account and always use this to sign-in. Replace SMS 2FA with an authenticator app. And never log into any Google account through a linked or popup sign-in prompt.

While Gmail accounts might be one of the most prized targets for hackers targeting Google users, Android Police has just reminded all those users that “your Google Account is the skeleton key to your digital life.” In addition to Gmail, it unlocks “Google Photos, Google Drive, saved passwords, and more.” You need to keep it safe.

ForbesFBI Warning—Do Not Reply To These Texts On Your SmartphoneBy Zak Doffman

The website offers the sound advice to run Google’s in-house account audit. While logged in, open Google’s Security Checkup tool to check who has “copies of that key.”

You should first check the “Manage all devices” setting. “Carefully review this list,” Android Police suggests. “Do you see a computer, tablet, or phone you don’t own or have long since gotten rid of? If so, click it and select Sign out. And ”if you see your phone listed multiple times,” it could just be that your “using different web browsers.”

This checkup is worthwhile for a host of other reasons as well. As Google says, “to protect your Google Account, we strongly recommend following the steps below regularly.” And within that checkup, you could see “a red, yellow, or blue exclamation point icon to recommend immediate action for your Google Account.”

The need for robust account security was already critical, but the fact AI platform scan now access our most sensitive data stores in the interests of convenience and potential trial productivity gains makes that even more so.

I have warned before that Gmail users in particular need to be mindful of the raft if new Gemini upgrades coming to their inboxes. Whether it’s AI-fueled relevancy search, summaries or smart replies, once an AI platform is rifling through your content you need to be very certain there are no weak entry points being left behind.

This risk has just been highlighted again, with ChatGPT getting the keys to a user’s Gmail for the first time. But as Mashable warned post OpenAI’s announcement, “there are, of course, privacy concerns here. Some of us have been using Gmail for a decade or more, meaning a lot of personal info can be hidden in there. Giving over access of that to a chatbot that vacuums up data by design might be a bridge too far for some users.”

Futurism goes even further. “It’s staggeringly easy for hackers to trick ChatGPT into leaking your most personal data,” it says, adding that “this is very, very bad.”

ForbesiPhone And Android Warning—Do Not Keep These Apps On Your PhoneBy Zak Doffman

While Futurism’s warning relates to prompt injection attacks, which is where instructions for an AI assistant are hidden from a user’s sight within a document the AI assistant then reviews or acts upon. That’s the same risk that prompted (no pun intended) warnings about Gmail’s new AI summaries.

But the more widespread risk is that an AI assistant operating on your behalf likely has your security authentication for the websites it visits, acting on your behalf. Charging or showing up account security won’t stop that, but locking down accounts to force a more robust login process will help ensure you know when you’re at risk.