Change your Gmail password now — Google warns customers.
Replace, July 30, 2025: This story, initially printed on July 28, has been up to date with affirmation of a second Google safety replace: Gmail passkey and Gadget Sure Session Credentials bulletins are actually joined by Undertaking Zero reporting transparency adjustments.
It’s official: Google accounts are underneath assault, and people assaults have spiked by an unimaginable quantity. Based on Google itself, it noticed an 84% improve in Gmail two-factor authentication bypass assaults throughout 2024 and has now confirmed that this ”has solely intensified in 2025.” In the case of the larger image, phishing and credential theft are actually behind greater than a 3rd of all profitable Google account assaults. However Google has been combating again, and a July 29 announcement outlines a brand new safety safety being supplied to some, together with a warning for all customers to vary their passwords now.
Change Your Gmail Password Now As Assaults Escalate
It’s all the time refreshing to listen to the biggest of tech firms being sincere in regards to the safety challenges they face, and Google actually falls into this class. Extra so if you find yourself speaking about Gmail, with some 2.5 billion customers worldwide, and underneath fixed assault, like all giant electronic mail platforms, from menace actors trying to compromise accounts.
“Attackers are intensifying their phishing and credential theft strategies,” Andy Wen, senior director of product administration at Google has warned, “which drive 37% of profitable intrusions.” What’s extra, Wen continued, “we’ve seen an exponential rise in cookie and authentication token theft as a most popular technique for attackers.” Fortunately, the Google announcement doesn’t cease there. As a substitute, it shares account safety enhancements to mitigate simply most of these assaults.
Whereas the Google announcement itself is directed at Google Workspace prospects particularly, the primary of the suggestions varieties a warning that each one 2.5 billion Gmail customers ought to heed: replace your account from utilizing a password to a passkey. The “enhancement” that Google is referring to right here is that such passkeys help is now obtainable, with “expanded admin capabilities to audit enrollment and limit passkeys to bodily safety keys,” to greater than 11 million Google Workspace prospects. That’s essential, in fact, however please make the change from password to passkey no matter whether or not you’re utilizing a paid-for or free Gmail account. The attackers, I can guarantee you, couldn’t care much less.
The opposite recommendation is strictly for these Workspace prospects, nevertheless, and comes by the use of an open beta of Gadget Sure Session Credentials to guard towards these 2FA cookie bypass assaults talked about earlier, in addition to one other beta, a shared alerts framework, that shall be supplied to “choose prospects and companions” later this 12 months.
“These developments can meaningfully improve account safety,” Wen mentioned, “marking a serious step ahead in defending towards account takeovers for Google Workspace prospects.”
Gadget Sure Session Credentials present customers with enhanced post-authentication safety, Wen defined, by serving to to make sure that solely the originating machine can entry the energetic session which, due to this fact, reduces the danger of cookie theft and 2FA bypass. DBSC additionally gives stronger periods integrity, Google mentioned, by bolstering protections with “extra granular account attributes when used along with context-aware entry, even when an attacker obtains login credentials after the preliminary login.”
Not Simply Gmail — Google Publicizes Undertaking Zero Transparency Adjustments
A July 30 announcement by the Undertaking Zero workforce is the second main affirmation of safety adjustments from Google in as many days. Tim Willis, head of Google’s Undertaking Zero, based in 2014 and tasked with uncovering zero-day safety vulnerabilities, has confirmed that adjustments are being launched to scale back the “patch hole” or delay between funding a vulnerability and getting the repair to your gadgets.
The patch hole is, Willis admitted, a really advanced situation to unravel and goes past my oversimplistic description above. “Our work has highlighted a crucial, earlier delay: the upstream patch hole,” Willis mentioned, explaining that this covers the interval between an upstream vendor having a repair and it getting built-in into “downstream dependents” merchandise that may be distributed to customers. “This upstream hole considerably extends the vulnerability lifecycle,” Willis warned.
Enter reporting transparency, or moderately, Google Undertaking Zero’s reporting transparency trial. The prevailing core 90-day vulnerability disclosure deadline goes nowhere and can stay in impact, however it is going to be amended by an addition at the start of the method itself. As of at this time, Willis has confirmed, Google Undertaking Zero will publicly share {that a} vulnerability has been found and accomplish that inside every week of it being reported to a vendor.
“We hope that this trial will encourage the creation of stronger communication channels between upstream distributors and downstream dependents referring to safety,” Willis concluded, “resulting in sooner patches and improved patch adoption for finish customers.”
Why All Customers Ought to Replace Gmail Accounts To Use Passkey Safety
The advantages of passkeys in comparison with passwords are not any secret, and have been put ahead time and time once more. Wen has bolstered the better safety that may be supplied by making this one easy change: “Not like passwords, which will be guessed, stolen, or forgotten, passkeys are distinctive digital credentials tied to a consumer’s machine.”
Listed below are three the reason why Google needs all customers to modify to passkey know-how, and swap now:
- Passkeys are inherently extra phishing-resistant as a result of customers can’t be tricked into handing over passkeys to a malicious actor.
- Signing in with passkeys is so simple as unlocking your machine, resembling utilizing a PIN or biometrics, resembling a fingerprint or facial recognition.
- Not like passwords which might be usually reused, every passkey is exclusive and generated for every particular web site or service.
So, what are you ready for? Be aware of the Google warning and replace your Gmail account safety now.
About The Author
