Google is raising the alarm for its billions of Gmail users—not because of a direct breach of Gmail itself, but because of a larger security risk linked to another company.
Many people saw the headlines suggesting Google wants everyone to change their Gmail passwords after a hack. That’s only half the story. The real message from Google is this: stop relying on passwords altogether.
Here’s why. The issue stems from a breach at Salesforce, carried out by the hacker group ShinyHunters (also known as UNC6040). Hackers didn’t get Gmail login credentials, but they did steal data such as email contact lists, business associations, and metadata. On its own, this doesn’t let them log into accounts, but it makes phishing and impersonation attempts far more convincing—and dangerous.
Google confirmed that since the Salesforce breach, it’s seeing a sharp rise in phishing campaigns. Attackers are posing as Google itself, as IT departments, or as trusted vendors, sending fake emails or even making “vishing” calls from spoofed numbers that look like official Google lines.
Why this matters
Phishing has always been one of the most effective ways to break into accounts. Google says phishing and vishing now account for nearly 37% of account takeovers. With real business data in hand, hackers can craft emails that look eerily real—messages that mention your actual colleagues, recent projects, or company names. One careless click could hand over your credentials and open the door to your entire digital life.
John Graham-Cummings, CTO of Cloudflare, put it simply:
“If someone gets into your email, they can get into just about everything else you own, because password resets for nearly every service are tied to email.”
That’s why Google’s advice is blunt: never, ever give your Gmail password to anyone. Not to a caller, not to an email, not even to someone you trust casually. And ideally, stop using a password altogether.
Passkeys: the future of login
Google is pushing people to adopt passkeys—a system where you log in using biometrics on your device (like a fingerprint or face scan). Passkeys don’t rely on text passwords, which means they can’t be phished or stolen in the traditional way. Security experts say they’re actually stronger than even the most complex password.
Jeff Shiner, CEO of 1Password, explained:
“To the user, a passkey just looks like using your phone’s biometrics. But behind the scenes, it’s far more secure than a password—because there’s no password to steal.”
What you should do right now
Google is recommending a few simple but critical steps:
- Change your Gmail password regularly. Make it long, complex, and unique.
- Turn on two-factor authentication (2FA). Use an app or a passkey—not just SMS codes.
- Don’t trust unexpected emails or calls. If in doubt, check your Google Account dashboard directly.
- Use Google’s Security Checkup tool to review your account devices and settings.
- Stay alert for suspicious activity—like login attempts, reset requests, or strange emails.
The bigger picture
This incident is a reminder that even if Google itself isn’t hacked, third-party breaches (like Salesforce) can still put Gmail users at risk. With more than 2.5 billion Gmail accounts worldwide, hackers see it as one of the most valuable targets out there.
The bottom line? Passwords are becoming the weakest link in online security. Google’s latest warning isn’t just about one breach—it’s about moving toward a safer, password-free future.
