Google's 7-Day Gmail Account Hack Warning — Act Now
Google has issued a critical warning to its users, alerting them to the threat of hacking attempts on their Gmail accounts within the next seven days. The latest attack campaign, armed with the latest AI tools, is designed to trick users into divulging sensitive information, allowing hackers to gain control of their email kingdom. If you're reading this, it's likely that your account has been targeted, or at least is at risk.
As a seasoned journalist, I've been reporting on the increasingly sophisticated threats facing Gmail users for months now. The pivotal moment for these attacks came when a convincing AI-driven hacking campaign nearly succeeded in fooling a cybersecurity consultant at the end of 2024. Despite Google's efforts, these attacks have continued and are still ongoing.
The latest attack to come to my attention is eerily familiar, with the target being Adam Mosseri, the head of Instagram. According to Mosseri, the attack began with a phone call from Google support, followed by an email sent from a noreply@google.com address claiming his account had been compromised and required immediate password change. This pattern is all too common in attacks I've reported on across the past year.
The mitigations for these attacks are similarly familiar, and I advise you to start here and continue here. In Mosseri's case, a Google spokesperson confirmed that the Google form and site in question have been suspended, and reminded users that "Google will never call you about your account." However, if it's too late, and the attackers have compromised your account, changed your password, 2FA protections, and even your recovery email and telephone numbers, panic is not an option.
Do not panic, Google can help, but you do need to act fast. You have a limited window of seven days to recover your hacked Gmail account. The tactics used by these attackers are not unique to Gmail; all email platforms and online services are at risk of the same kind of account takeover threats. However, Gmail's high profile and massive user base make it a hacker magnet.
Google has confirmed that situations where attackers both compromise an account and change passwords, etc., to prevent the real owner from logging in do happen. Another good reason to always use the latest phishing-resistant authentication technology, such as a passkey, rather than wait for an attacker to use theirs to lock down your account.
"We recommend all users to set up a recovery phone as well as a recovery email on their account," Google said, "these can be used in cases where users forget their own passwords, or an attacker changes the credentials after hijacking the account." Importantly, the original Google account holder has a seven-day period in which they can use the original recovery details to regain account control from the attacker.
A recovery phone number is analogous to seatbelt use in your car; it enhances your ability to recover fully after a hack, just as a seatbelt enhances your chances of survival in a crash. When your recovery information is changed, Google told me, you can still use your existing email or phone number for seven days to receive account recovery sign-in codes.
So, what are you waiting for? Add those recovery details now and be prepared in case the worst happens and a sophisticated hacker takes control of your Gmail account. Unlike ignoring this advice, you have nothing to lose. Take action now and protect your email kingdom.