If You Get This Message From Apple Or Google, It’s An Attack

Delete all these messages.
There’s nothing a cyber criminal likes more than highly publicized events, sudden fear and a sense of urgency. And so last week’s headlines that 16 billion passwords leaked in the “largest ever data breach” hit the jackpot. That it “opened access” to Apple and Google accounts, the most prized of all, just made it all the sweeter.
The fact there’s no new data breach impacting Google or Apple or Microsoft or Facebook is beside the point. This is an amalgamation of various breaches, collecting data from multiple sources including infostealers on PCs. But users reading the headlines will not realize and will understandably panic.
This highlights the weakness in using passwords to secure accounts. Despite what you’ve read, the answer is not to reset or change all your passwords. It’s to enable two-factor authentication on all your key accounts — especially the likes of Apple, Google, Microsoft, Facebook and Amazon. Better still, switch to passkeys where you can.
But many everyday users are now at risk from attacks, whether or not their user names and passwords were in any of those breached datasets. Attackers will now send out emails pretending to be from Apple, Google or other brands, warning of the breach and linking to the public headlines and password reset advice. And those emails or texts will helpfully include a password reset link or a helpline number to call — that’s the attack.
Those links or calls will try to steal your password, to gain access to your account and anything within it. We’ve already seen multiple attacks on Apple and Google users, with fake support emails or calls or texts warning accounts are compromised and passwords need to be reset. These recent headlines are a surprise gift to those attackers.
And so, a timely reminder that no major tech brand — Google, Apple, Microsoft and Facebook included — will ever reach out to you about an account security problem or to reset a password. If you receive any such message or call, it’s an attack. Period.
Google has asked me in the past to “please reiterate to your readers that Google will not contact you to reset your password or troubleshoot account issues.” The same is true for all those others. It never happens. As the FBI says, ”legitimate customer, security, or tech support companies will not initiate unsolicited contact with individuals.”
Even if a message is so plausible that you can’t ignore it, you must still delete it and access your account using the usual means. Online or using your app. If there’s a password issue you’ll be directed to a reset option. There won’t be. Similarly, if you receive a call or a message to call back, do not respond. Access your account as normal.
Google and Apple account details are the most valuable, granting access to many apps and services and the mobile phones that control our lives. But treat any messages from Microsoft or Facebook or any other brand in the wake of this “breach” the same way. The key advice — to add 2FA or passkeys — will protect you even if a breach is new. The final advice is to avoid SMS 2FA — use another method if you can.