New Gmail Security Alert For All 2.5 Billion Users — Steps To Take Now

In an update to our previous report, a new wave of Gmail security alerts has been reported by users, with hackers employing a hybrid attack involving email and phone calls in an attempt at account takeover.

Google has confirmed that it is under attack from hackers thought to be part of the ShinyHunters extortion group, following a successful compromise of a Google Salesforce database. This data breach is believed to have led to an increase in password-stealing threats delivered by email, with a 84% rise reported last year.

Google Cloud users are also at risk, with an advisory posting providing details of an attack path using "dangling buckets" to steal data and distribute malware. Gmail users cannot relax either, as they are firmly in the hacker crosshairs.

The Attack Method

The attackers are adopting a hybrid approach that includes phone calls and email messages, all purporting to be from official Google support staff. This con is simple: the victim receives a phone call from someone claiming to be from Google support, warning them that an unknown party has attempted to hack their Google account.

The caller advises that a password reset is required to stop the so-called attack and protect the user from harm. The second part of the hybrid scheme comes into play, sending an account reset email to the user. The email includes a security verification code to prove it's you trying to change the password.

How the Attackers Work

The attacker encourages the victim to read the code out over the telephone so that "Google support" can reset the victim's account and protect them from the consequences of the "ongoing attack." Of course, all they are really doing is hacking your account in real time, while on the phone with you.

How to Mitigate The Latest Gmail Account Attacks

Google has published a helpful guide with advice on how to tell if a Google security alert is genuine. However, users are also advised to implement the following three account attack mitigation steps as a matter of some urgency:

  1. The Google Security Checkup: This is the most efficient and effective way to ensure that the right security protections are in place to defend your account. It checks what you have activated and advises about issues that could leave you at risk.
  2. Google's Advanced Protection Program: This ensures that additional checks are made to help prevent even the most determined hackers from gaining access to your Gmail account.
  3. Using a Google passkey: Security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.

"Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication," a Google spokesperson told me.