Google has issued an urgent warning to its 1.8 billion Gmail users, warning that anyone with hacked account has just seven days to recover it or risk being locked out permanently.
In a recent development, users of Gmail around the world has experienced Google password hack.
To regain access, users must have a recovery phone number or email set up.
These backups allow Google to verify your identity through security questions, even after a breach.
The alert follows what Google described as a “sophisticated” phishing attack that exploited trust in its systems to trick users into surrendering their login credentials.
The threat was first reported by Nick Johnson, a developer for the Ethereum cryptocurrency platform.
He shared a screenshot of a deceptive email that appeared to come from a legitimate Google address, falsely claiming he had been served a subpoena and needed to give up access to his account.
Clicking the link took him to a “very convincing ‘support portal’ page,” Johnson said.
Both “Upload additional documents” and “View case” redirected to “exact duplicates” of Google’s real login pages.
“From there, presumably, they harvest your login credentials and use them to compromise your account; I haven’t gone further to check,” he explained.
The fake message was especially dangerous because it passed Gmail’s DKIM (DomainKeys Identified Mail) signature check, which confirms that parts of an email haven’t been tampered with.
“It even puts it in the same conversation as other, legitimate security alerts,” Johnson added.
Responding, a Google spokesperson, said the company is aware of the targeted attacks.
“We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse,” Google spokesperson said.
To better protect against future phishing attempts, Google urges users to enable two-factor authentication (2FA) and passkeys.
“We encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns,” the company said.
Google emphasized that it will never ask for your password, one-time codes, or confirm push notifications — nor will it call you to verify account information.
According to the company, hackers used Google Sites to create scam pages, tricking users by leveraging the trusted google.com domain.
“Because they know people will see the domain is http://google.com and assume it’s legit,” Johnson explained.
Phishing scams typically use generic greetings, create urgency, and prompt users to click suspicious links.
Even though companies like Google do send emails, they won’t ask you to update login or payment details via clickable links, Google warns Gmail users.
Johnson’s case highlights how convincing and dangerous these scams have become — and why acting quickly is critical.
For stronger protection, Google recommends switching from a regular password to a passkey, a secure login that works only on your physical device.
This makes it virtually impossible for hackers to log in from another device, even if they steal your credentials, the company said.
As phishing techniques grow more sophisticated, Google’s message is clear: check your recovery settings, enable strong security measures, and don’t wait. The company continues to warn against Google password hack.
