Google Confirms Accounts Are Being Hacked — How To Recover Yours
August 5, 2025: This story, originally published on August 3, has been updated with further mitigation advice as well as a new report regarding phishing and credential theft trends as Google confirms account hacking spike and issues guidance for attack recovery to impacted users.
A Massive Spike in Attacks Against Google Users
Google has confirmed that there has been a massive spike in the number of attacks against Google users, specifically being password-stealing threats delivered by email, which increased by 84% last year — a worrying trend, Google said, that has “only intensified in 2025.” If you need proof of the danger of these infostealer attacks, I could point you to any number of reports, but to be honest, you’ve probably already read them.
A Constant Stream of Messages from Hacked Accounts
Take a quick peek at the Google online support forums, both official and those on Reddit, and you will soon realize that there is a constant stream of messages from people asking for help to access their hacked accounts. Examples have included a user who says that a hacker has changed their Google account phone number and recovery email, and when they try to log in, it says their password has been changed.
Google's Advice on How to Recover Your Account
Don't panic, Google has got you covered. If your Google account has been hacked, or you find yourself locked out for whatever reason, there’s a helpful official online guide to recovering access in just a few simple steps. All that said, prevention is still better than cure.
The Single Most Effective Method of Prevention: Passkeys
The single most effective method of preventing a hacker from taking over your account is to use a more secure form of user credentials than a username and password combo, even when coupled to two-factor authentication. Yes, and I don’t apologize for continuing to hammer this advice home, I’m talking about passkeys.
Passkeys are comprised of two distinct keys, in fact, a public key which is unique and both created and stored on a company server, and a private key stored only on the user’s device. Think of the public key as being the thing that creates a challenge that can then only be correctly solved by the private key.
The Benefits of Passkeys
These things make a passkey, and I am almost loath to say it, as there is no such thing as perfect security, almost impossible to be guessed or intercepted by a hacker. The keys are randomly generated and are never shared during the sign-in process.
The Experts Weigh In
Google itself gives three reasons as to why this is the case: Best of all, switching from a password and 2FA to a passkey is easy, painless and quick. So, what are you waiting for?
A New Report from Cisco Talos Adds Weight To Google's Warnings
Phishing has remained the prominent method of initial access for hackers, Lexi DiScola, an information security analyst with the Cisco Talos Intelligence Group, warned in a summary of the latest intelligence analysis report from Cisco Talos.
The Risk is Real
“The objective of the majority of observed phishing attacks appeared to be credential harvesting,” DiScola said, “suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities, such as engineering a financial payout or stealing proprietary data."
Protect Yourself from Phishing Attacks
All users, not just those of the Google platform, need to be alert to the risk. In one case cited in the report, victims were directed to a fake Microsoft Office 365 login page requiring a fake 2FA input, “likely so the attacker could steal users’ credentials and session tokens.”