Gmail users attacked by hackers, Google confirms – status update & 7‑day recovery guide

A fresh wave of sophisticated phishing attacks is targeting millions of Gmail users worldwide, prompting a swift response from Google. The campaign, which surfaced in April 2025, uses deceptive emails crafted to appear as if they were sent by Google itself — tricking users into handing over their credentials and, in some cases, locking them out of their accounts entirely.

Google has confirmed that the attackers exploited weaknesses in two widely used systems — DKIM (DomainKeys Identified Mail) and OAuth — to bypass Gmail’s security checks. These forged emails could slip past spam filters, imitating legitimate communications such as password reset requests. Once recipients interacted with these fraudulent messages, attackers were able to hijack their accounts, alter recovery settings and, in some cases, establish passkeys to block access by the rightful owner.

What happened?

• Phishing disguised as legitimate communications
  Hackers crafted emails that mimicked genuine Google notifications — including password resets — by abusing DomainKeys Identified Mail (DKIM). These messages were routed through authenticated servers, exploiting an OAuth loophole to bypass phishing defences.

  Advertisement

  ‹

  EVENT

  

  Saksham Bharat 2026

  A multi-stakeholder dialogue on skilling gap in Cybersecurity, Data Resilience and AI — and the roadmap to a Saksham Bharat.

  📅 Tue, 26 May 2026

  📍 Mumbai, Bengaluru, Delhi

  Register Now →

  EVENT

  

  VeeamON 2026 Tour India - Mumbai

  A VeeamON 2026 India Leadership Series Mumbai for senior public sector and government technology leaders.

  📅 Tue, 26 May 2026

  📍 Grand Hyatt, BKC

  Register Now →

  EVENT

  

  Cyber Surakshit Uttar Pradesh

  Find out strategies, frameworks and solutions for building a resilient and secure digital ecosystem across Uttar Pradesh.

  📅 Thu, 28 May 2026

  📍 Lucknow

  Register Now →

  EVENT

  

  VeeamON 2026 Tour India - Bengaluru

  A VeeamON 2026 India Leadership Series Bengaluru for senior public sector and government technology leaders.

  📅 Wed, 03 Jun 2026

  📍 JW Marriott Hotel

  Register Now →

  EVENT

  

  VeeamON 2026 Tour India - Delhi

  A VeeamON 2026 India Leadership Series Delhi for senior public sector and government technology leaders.

  📅 Fri, 19 Jun 2026

  📍 Shangri-La Eros

  Register Now →

  EVENT

  

  Infosec Reimagined

  Infosec Reimagined 2026 is the premier information security summit where top leaders—CISOs, CROs, CIOs, CTOs and risk executives—converge to redefine cyber resilience.

  📅 Fri, 26 Jun 2026

  📍 New Delhi

  Register Now →

  EVENT

  

  Digital Senate

  Digital Senate is a premier conference uniting government leaders, technologists and innovators to share ideas, success stories and strategies on digital governance, public sector transformation, cybersecurity and emerging technologies in India.

  📅 Thu, 30 Jul 2026

  📍 New Delhi

  Register Now →

  EVENT

  

  CIO Prism

  CIO Prism unites forward-thinking technology leaders to exchange transformative insights, shape digital strategies, and foster innovation, empowering enterprises to excel in an era of rapid technological change.

  📅 Fri, 18 Sep 2026

  📍 Goa

  Register Now →

  ›

• Account takeover and lock‑out
  Once users interacted with fraudulent links or entered credentials, attackers gained access, enabling them to reset passwords, modify recovery emails and phone numbers, and even set passkeys—locking legitimate users out entirely.

• Wide scale potential and urgency
  With over 1.8 billion Gmail users globally, Google confirmed this was not an isolated incident but part of a coordinated campaign targeting large numbers of users. They swiftly shut down the vulnerability and reinforced defences, yet users remain at risk if they fail to update security settings.

Current status

1. Google has closed the loophole
   The exploited DKIM/OAuth vulnerability has been patched. According to a Google spokesperson, “We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse”.

   Advertisement

2. Mandatory security upgrades ahead
   Google is requiring two‑step verification for all 1.8 billion users, with a grace period of 15–30 days. Accounts that do not comply may lose access.

3. Global data breach context
   A separate incident last month saw 16 billion login credentials — including some Gmail accounts — leaked online. Cybersecurity experts describe this as one of the largest leaks in history, escalating phishing and account takeover risks.

Tips to safeguard your Gmail account

To protect yourself and stay ahead of sophisticated threats, follow these essential steps:

1. Enable two‑factor authentication (2FA) without delay

2FA adds a vital security layer. Google offers verification via SMS, an authenticator app, a prompt, or physical security key.

Set up now: Google account ▶ Security ▶ 2‑Step Verification ▶ choose your method.

2. Switch to passkeys for phishing‑resistant login

Passkeys are biometric or PIN‑based logins stored on your device. They are resilient against phishing and are strongly recommended by Google.

To enable: Google account ▶ Security ▶ Sign‑in method ▶ Add passkey.

3. Conduct a Security Check‑up

Google’s Security Check‑up tool helps review recovery options, connected apps, recent log‑ins, and more — offering step‑by‑step protection .

Access: Google account ▶ Security ▶ Security Check‑up.

4. Join the Advanced Protection Programme

Ideal for users at high risk — journalists, activists or executives. It enforces stricter login policies, errant downloads are blocked, and recovery processes are formalised .

5. Fortify your password

Use a long, unique passphrase; avoid common words or reusing passwords. Regularly update them and consider using a dedicated password manager.

6. Verify emails and avoid suspicious links

Always hover before clicking links. If an email urges immediate action, go directly to Gmail’s site rather than tapping embedded links.

7. Monitor third‑party access

Review which apps or services are authorised to access your Gmail and revoke those no longer needed.

8. Check recent account activity

Gmail’s “Last account activity” feature shows login IPs and times. Investigate any unrecognised access. You’ll find this in Gmail bottom‑right corner under “Details”.

9. Ensure recovery options are valid

Set up a recovery phone number and email. If a hacker removes them, you still have seven days to regain control via these credentials.

10. Keep software updated and anti‑malware installed

Ensure your operating system, browser and Gmail apps are current. Use reputable antivirus software to prevent malware and info‑stealers .

If your account is compromised

1. Change password immediately, using a strong, unique combination.

2. Revoke suspicious third‑party access via account settings.

3. Start account recovery promptly. You have a seven‑day window using original recovery info.

4. Enable 2FA and passkeys before proceeding further.

5. Check email forwarding rules and filters — attackers often hide these to capture future messages.

6. Inform contacts if suspicious emails were sent from your address.

7. Run deep malware scans and, if necessary, factory‑reset affected devices .

7-Day Gmail Recovery Guide

If hackers change your password or remove recovery options, Google allows a 7-day window to reverse those changes — after which regaining access may be impossible without intervention.

Follow these steps within that timeframe:

1. Visit Google’s Account Recovery page:
   https://accounts.google.com/signin/recovery

2. Enter your Gmail address and follow the prompts
   Provide previous passwords, recovery email or phone number, and when you last accessed your account.

3. Use your original recovery methods
   If recovery info (email/phone) was recently removed, Google temporarily retains them for up to 7 days, allowing re-verification during this period.

4. Check backup options
   If you’re enrolled in 2FA or Advanced Protection, attempt verification via trusted devices or keys.

5. Monitor for confirmation
   Once verified, change your password immediately and remove any unfamiliar devices or app authorisations.

6. Reinforce protection
   Enable passkeys or 2FA, update recovery info, and run a Security Check-up.

Final thoughts

This recent Gmail hack campaign highlights a shift in cyber‑threats from bulk phishing to targeted, high‑fidelity attacks employing AI, DNS spoofing and OAuth abuse. Google’s response is robust, but user action remains critical.

Adopt a multi‑layered security approach: strong passwords, 2 FA or passkeys, Security Check‑up, Advanced Protection, and vigilance against suspicious emails. These measures will greatly reduce your risk and greatly improve your resilience.

Share this guide with friends and family — safeguarding your Gmail isn’t just an option, it’s essential in 2025’s cyber landscape.