Google has issued a serious security alert, confirming that hackers are breaking into Gmail accounts using stolen passwords. The company says most users now need to change their passwords and upgrade their security settings immediately.
Why most Gmail users must change passwords now

A string of recent breaches has put Gmail’s 2.5 billion users at risk. Google admitted that compromised passwords are behind many successful intrusions, with phishing pages and fake sign in prompts tricking people into handing over credentials. In some cases, attackers even bypass two factor authentication by intercepting codes.
Compounding the problem, scammers are posing as Google support staff, contacting account holders by email and phone. These scams are reportedly aided by AI tools, making them even harder to spot.
Passkeys and stronger protection are needed
Google has been urging users to move away from weak password setups for months. The company recommends adding passkeys and using them as the default way to log in. Unlike passwords, passkeys cannot be phished or reused across multiple accounts.
Two factor authentication is still important, but Google warns against relying on SMS codes. Instead, users should switch to an authenticator app.
- Change your Gmail password immediately
- Use a dedicated password manager, not a browser based one
- Add a passkey and make it your default login method
- Switch 2FA from SMS to an authenticator app
- Never click sign in links sent by email
According to Google, only 36 percent of people regularly update their passwords. That leaves most accounts at risk unless users take action.
How to spot a red flag sign in attempt
If you have set up a passkey but see a prompt asking for your password instead, treat it as a warning sign. That window may be a fake page designed to steal credentials. Google stresses that users should never log in through links, even if they look official.
The urgency of securing Gmail
With billions of accounts in play, Gmail remains a prime target for hackers. From phishing scams to stolen credentials, attackers rely on users sticking with weak habits. By changing your password, enabling stronger two factor authentication, and moving to passkeys, you cut off the most common entry points.
For anyone who has not updated their Gmail password this year, the time to act is now.