Google Confirms Accounts Are Being Hacked — How To Recover Yours
Update: August 5, 2025 - This story, originally published on August 3, has been updated with further mitigation advice as well as a new report regarding phishing and credential theft trends as Google confirms account hacking spike and issues guidance for attack recovery to impacted users.
The Threat is Real
Google has confirmed that there has been a massive spike in the number of attacks against Google users, specifically being password-stealing threats delivered by email, which increased by 84% last year - a worrying trend that has "only intensified in 2025." If you need proof of the danger of these infostealer attacks, I could point you to any number of reports, but to be honest, you've probably already read them.
Help — My Google Account Has Been Hacked
Taking a quick peek at the Google online support forums, both official and those on Reddit, will soon reveal that there is a constant stream of messages from people asking for help to access their hacked accounts. Examples have included a user who says that a hacker has changed their Google account phone number and recovery email, and when they try to log in, it says their password has been changed.
Another says they got a notification about suspicious activity, but by the time they actually checked it was too late, and a hacker had also changed their contact and recovery details. A third complains that the hacker of their account has added a passkey to the account, and every time they try to log in, it requires a QR code to be scanned or a device they don’t have to be used for authentication.
The Problem is Real
On July 29, Google's senior director of product management, Andy Wen, confirmed the extent to which this is an issue. "Attackers are intensifying their phishing and credential theft methods, which drive 37% of successful intrusions," Wen warned.
The Rise of Cookie and Authentication Token Theft
Wen also noted that Google has observed an "exponential rise in cookie and authentication token theft," being employed by hackers in compromising accounts. This trend highlights the increasing sophistication of phishing attacks, which are becoming more prevalent and effective.
Prioritizing Prevention over Recovery
I have covered the steps to take in order to mitigate these attacks in various articles here at Forbes.com, and I suggest you go check them out. But what if the worst happens and you fall victim to a Google account hacker and find yourself locked out of accessing your precious account? The account that, among other things, opens the sensitive data vault that is your Gmail inbox.
Recovering Your Account: A Simple Guide
The Power of Passkeys
The single most effective method of preventing a hacker from taking over your account is to use a more secure form of user credentials than a username and password combo, even when coupled to two-factor authentication. Yes, and I don’t apologize for continuing to hammer this advice home, I’m talking about passkeys.
A Public Key-Private Key Duo
Passkeys are comprised of two distinct keys: a public key which is unique and both created and stored on a company server, and a private key stored only on the user’s device. Think of the public key as being the thing that creates a challenge that can then only be correctly solved by the private key.
A Near-Impossibility to Guess or Intercept
These things make a passkey, and I am almost loath to say it, as there is no such thing as perfect security, but almost impossible to be guessed or intercepted by a hacker. The keys are randomly generated and are never shared during the sign-in process.
A Solution That’s Easy, Painless and Quick
Google itself gives three reasons as to why this is the case: Best of all, switching from a password and 2FA to a passkey is easy, painless and quick. So, what are you waiting for?
A New Report Highlights the Threat of Phishing
New Cisco Talos Report Adds Weight To Google Credential-Harvesting Warnings
Phishing has remained the prominent method of initial access for hackers, Lexi DiScola, an information security analyst with the Cisco Talos Intelligence Group, warned in a summary of the latest intelligence analysis report from Cisco Talos. And most of these phishing attacks involved credential harvesting, which adds weight to the warnings from Google about password-stealing threats to users.
Credential Harvesting: A Simplified and More Profitable Option
"The objective of the majority of observed phishing attacks appeared to be credential harvesting," DiScola said, "suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities, such as engineering a financial payout or stealing proprietary data."
The Importance of Awareness
In one case cited in the report, victims were directed to a fake Microsoft Office 365 login page requiring a fake 2FA input, “likely so the attacker could steal users’ credentials and session tokens.” All users, not just those of the Google platform, need to be alert to the risk.