Google Warns Gmail Users: Stop Using Passwords Amid Sophisticated New Attack
“Don’t use your password.” That’s the clear message from Google after confirming a dangerous new phishing attack targeting Gmail users—one that even evaded standard security checks.
The latest campaign, which has gone viral on X and through crypto communities, struck Ethereum developer Nick Johnson. The attack used a legitimate-looking email from [email protected], complete with a valid DKIM signature, warning of a legal subpoena. Because it was forwarded from a genuine Google email, Gmail marked it as secure—making it all the more convincing.
This clever exploit bypasses traditional alarms, but the real goal remains simple: trick users into entering credentials on a fake login page. Google has confirmed it’s aware of the exploit and is rolling out protections, but urges users to act immediately by switching to passkeys and strong multi-factor authentication.
“These protections will soon be fully deployed… In the meantime, we encourage users to adopt two-factor authentication and passkeys,” Google said in a statement.
Why Passwords and SMS-Based 2FA Are No Longer Safe
Despite the widespread use of 2FA, especially via SMS, attackers are increasingly able to intercept those codes—rendering them ineffective. Case in point: the emergence of “Gorilla,” a new Android malware flagged by Prodaft that intercepts SMS messages and bypasses device power-saving features to stay active.
These attacks, often driven by AI-generated content and hyper-targeted phishing, are escalating in complexity and volume. Microsoft warns that AI has made it easier than ever for threat actors to craft convincing scams.
What You Should Do Right Now
-
Enable Passkeys: A passkey is linked to your physical device and cannot be phished or reused. If an attacker doesn’t have your device, they can’t log in.
-
Avoid Password-Based Logins: Even with 2FA, passwords are a weak point. Don’t rely on SMS codes—use authenticator apps or hardware security keys.
-
Update All Security Settings: Review your Google account settings and strengthen security across linked accounts.
This isn’t just about Gmail. If your email is compromised, every connected account is vulnerable—from banking to social media.
The bottom line: Passkeys are the future of account security. Don’t wait until you’re a target. Set yours up today.
