Gmail security warning controversy: what has actually happened?
Pretty much every major tech (and not tech, for that matter) news outlet has recently reported on a security warning that went out — or didn’t — to a couple billion of Gmail users, urging them to change their passwords. Long story short, there really was a breach, and Google acknowledged it, but the company claims the wrongdoers only got some business contact details and names, not Gmail credentials. This does not mean, however, that you should not change your Gmail password: this is something best done on a regular basis, just to be on the safe side, regardless of whether you have 2FA switched on or not.
Want the whole story? Read on.
The actual breach that triggered the Gmail password alert reporting
Earlier in 2025, a hacker group known as ShinyHunters breached one of Google's Salesforce databases and stole information about an undisclosed (at least we haven’t found the figure) number of users. The information, as mentioned above, was business contact details and names.
Google acknowledged the breach, specifying that it occurred through a Salesforce extension. By early August 2025, the company finished notifying the affected individuals.
It seems, though, that the media have misinterpreted the situation: there were reports that linked the said incident to an alleged mass alert by Google that urged Gmail users — all 2.5+ billion of them — to change their passwords.
The reports went viral and forced the company to react: on September 1, 2025, Google published a post titled “Gmail's protections are strong and effective, and claims of a major Gmail security warning are false” to its Workspace blog. In the piece, the giant refutes ever sending out the alert, calling the respective claims inaccurate. In addition, Google insists that their “protections continue to block more than 99.9% of phishing and malware attempts from reaching users.”
How to safeguard yourself from phishing and vishing?
We’ve covered these types of attacks in “Social engineering in hacking: common methods and protections”; read this article if you’ve missed it, there is valuable information there. To recap a part thereof, here are the common-sense means of safeguarding yourself from such malicious attempts.
Trust but verify; better yet, don’t trust. If a letter is even slightly suspicious — an uninvited ad or some surprise suggestion from a person you know qualifies as suspicious — don’t click links in it.
Switch on two-factor authentication wherever possible, and opt for authenticator apps instead of SMS. Consider moving to passkeys, it’s going to happen sooner or later, anyway.
Use password managers, set up your firewall properly, consider getting a VPN subscription, and set up the backing routine — generally, follow the advice we’ve given in “Cybersecurity for the masses: best practices and tools.”
Stay safe!
