Why Google is really warning 2.5 billion Gmail users to stop using their passwords

You may have seen warnings that Google is telling all of its users to change their Gmail passwords due to a breach. That’s only partly true. Google is telling users to change their passwords, but not because of a breach that exposed them. In fact, Google’s real advice is to stop using your password altogether. Here’s what I mean.

The breach traces back to Salesforce, whose systems were compromised by the hacker group known as ShinyHunters (also tracked as UNC6040). Attackers obtained business-related Gmail data, including contact lists, company associations, and email metadata. No actual Gmail account credentials were stolen, but the nature of the stolen data makes phishing and impersonation attacks far more dangerous.

Google confirmed the link between the Salesforce breach and a rise in targeted phishing campaigns and said attackers are already impersonating Google, IT departments, or trusted vendors to trick people into handing over login information. Some campaigns even involve “vishing,” or fraudulent phone calls made from spoofed 650-area-code numbers that resemble Google’s corporate lines.

Phishing attacks increase

For years, phishing has been one of the most effective tools hackers use to break into accounts. Google’s own data shows that phishing and vishing now account for roughly 37% of successful account takeovers across its services. With the data from Salesforce in hand, hackers can customize attacks that look far more authentic than the usual spam message.

Imagine receiving a message that references your actual employer, colleagues, or recent communications. That level of detail raises the likelihood that you’ll trust the email, click a malicious link, or provide sensitive information. Once credentials are stolen, hackers can bypass additional protections and take over accounts—sometimes without the victim realizing it until significant damage has been done.

Protect your email password

Look, the most important rule here is that you should literally never give anyone your Gmail password, especially not someone who calls you and purports to be tech support. No matter how convincing it may seem, Google is never ever going to call you and ask you for your login information. Seriously, even if your son calls you to help you with tech support, you should not give him your Gmail password.

Why? Well, because your email is basically the key to everything. In an interview I did last year, Cloudflare CTO John Graham-Cumming explained the problem.

“If you do not have a good password on your email, the rest of your life is pretty much wide open, because every single service out there does reset password by sending you an email,” says Graham-Cumming. “So if I can compromise your email, I can compromise pretty much everything else you have.”

Of course, even better than not giving out your password or clicking on links in fake tech-support emails is to stop using passwords altogether on your Gmail account. Google has been encouraging users for years to adopt passkeys instead.

Switch to a passkey

I also spoke with Jeff Shiner last year about passkeys. As the CEO of 1Password, Shiner knows a few things about how people use passwords and why they should be switching to more secure ways of protecting their accounts.

“A passkey, from an end user point of view, looks like the biometrics on your device,” says Shiner. “The cool thing about a passkey is that to the end user, you never have a password for that service. You just use your biometrics, and then a passkey is created. But, from a security point of view, it’s actually stronger than a password—even a strong password—because it can’t be phished.”

In light of the breach, Google is encouraging Gmail users to change their password. In fact, you should change your password on a regular basis in the event it is ever compromised. But even better is to stop using passwords at all.

Google is also pushing users toward stronger forms of authentication, including passkeys and app-based two-factor authentication (2FA). Unlike SMS codes, which can be intercepted or spoofed, authenticator apps and passkeys make it much harder for hackers to break into accounts even if they trick you into handing over a password.

Google’s warning for users

Google’s guidance can be summed up in five steps:

1. Reset your Gmail password regularly. Choose something unique and complex. Do not reuse passwords across accounts.
2. Turn on two-factor authentication. Preferably, use an authenticator app or a passkey.
3. Be skeptical of unsolicited messages. If you receive an email or call about account security, go directly to your Google account dashboard instead of clicking links or giving information over the phone.
4. Use Google’s Security Checkup. The tool provides a quick overview of devices, apps, and settings tied to your account.
5. Stay alert. If something feels off—strange login notifications, unexpected password reset requests, or unusual email activity—act quickly by securing your account.

This episode underscores a broader truth about modern cybersecurity: Your accounts are only as safe as the weakest link in the chain. In this case, a breach at Salesforce created risk for Gmail users who had no direct relationship with the company. Even if Google’s own infrastructure remains secure, attackers can exploit data leaked from partners to undermine trust.

With more than 2.5 billion Gmail users, it isn’t surprising that the world’s most popular email service would represent one of the most irresistible targets for hackers. Google’s latest warning is a reminder that in a world of constant breaches, vigilance is the only reliable defense.

—Jason Aten

This article originally appeared on Fast Company’s sister publication, Inc.

Inc. is the voice of the American entrepreneur. We inspire, inform, and document the most fascinating people in business: the risk-takers, the innovators, and the ultra-driven go-getters that represent the most dynamic force in the American economy.

View the full article