Google is advising all 2.5 billion Gmail users to change their account passwords immediately, citing an uptick in phishing attempts and credential theft. The company says attackers are becoming more sophisticated, using fake sign-in pages, fraudulent emails, and even phone calls from scammers posing as Google Support to trick users into giving up sensitive information.
According to Google, phishing and credential theft now account for nearly 40% of successful intrusions. Even two-factor authentication, long promoted as an additional security layer, isn’t always enough—bad actors have found ways to intercept or trick users into sharing 2FA codes.
What’s most concerning is how infrequently users change their credentials. A survey shared by Google shows only 36% of U.S. consumers update their passwords regularly, leaving the majority at risk if their details are exposed. With password reuse still common across multiple accounts, a single compromised Gmail login could potentially open the door to far more serious breaches.
Google’s recommendations are straightforward: if you haven’t changed your Gmail password this year, do it now. The company also advises against relying solely on browser-based password managers, suggesting dedicated apps instead, and recommends pairing password updates with stronger authentication methods. Switching from SMS-based 2FA to an authenticator app that generates one-time codes is one of the most effective steps users can take.
For those with newer devices, passkeys—biometric or PIN-based logins—offer even stronger protection. Unlike passwords, passkeys can’t be phished because they never leave the device. Yet adoption remains low, with just 34% of U.S. users currently using them. Google warns that if a sign-in page ever asks for a password when your device normally uses a passkey, that’s a red flag that the page may be fraudulent.
The company’s advice echoes a broader problem in cybersecurity: human error remains one of the weakest links. Clicking the wrong link or trusting the wrong email continues to be a more effective strategy for attackers than brute-forcing systems. With Gmail’s massive user base, even a small success rate can translate into millions of compromised accounts.
For now, the best defense is vigilance. Change your password, switch to stronger authentication, and never log in through links—even if they look like they came from Google itself.
