Google has confirmed that Gmail passwords are being actively exploited by attackers and most users still haven’t adopted stronger sign-in protections.
Gmail passwords at risk after new data breach

Following recent hacks, Google now urges account holders to change their Gmail passwords. Many successful intrusions stemmed from reused or exposed credentials. One major breach reportedly involved Google’s own Salesforce database, further raising the alarm.
Because phishing campaigns are ramping up, even users with two-factor authentication (2FA) remain vulnerable, especially if they rely on SMS-based codes.
Google recommends stronger security methods
Google isn’t just asking users to reset their Gmail passwords. The company wants everyone to adopt passkeys or device-based 2FA as their primary login method. These options reduce the risk of phishing, since they eliminate password entry altogether.
Previously, Google made passkeys the default sign-in method. Even so, many users continue to depend on passwords and outdated verification tools.
Scammers are imitating Google support staff
Cybercriminals have become more convincing. By pretending to be Google support, they trick people into entering login details on cloned websites. Some scams even include fake phone calls or AI-generated emails to add urgency.
Here’s how most phishing attacks unfold:
- A user receives a fake security alert
- The email includes a link to a forged login page
- Credentials and 2FA codes are harvested
- Hackers use that data to gain full access
Gmail passwords alone aren’t enough anymore
Attackers no longer need to break encryption; they just need to fool the user. Because of this, Google urges users to move beyond simple password-based logins. Enabling a passkey or using an authenticator app is now considered a must.
At the same time, users should stay alert for suspicious messages that mimic real security warnings.
Update your Gmail passwords and how you protect them
If you’re still using only a password and SMS code for Gmail, it’s time to make a change. Google made its position clear: stronger protections are no longer optional.