![\"Google](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/06\/1750500969_31_960x0.jpg\")
<\/p>\n<\/p>\n
Most accoiunts need an upgrade, says Google.<\/p>\n
AFP via Getty Images<\/p>\n
Republished on June 21 with new advice after \u201crecord breaking\u201d security alert.<\/p>\n
Google has confirmed another atack on Gmail users<\/a> this week. Yet again, its own infrastructure has been exploited to compromise user accounts. And yet again, it comes with another warning for users to upgrade their accounts \u2014 this is now a must.<\/p>\n Earlier this month, I covered Google\u2019s warning<\/a> that most of its users still only use basic password security and are wide open to data breaches and attacks. \u201cWe want to move beyond passwords altogether,” Google said,<\/a> pushing users to replace them.<\/p>\n ForbesStop Using Your Microsoft, Google And Facebook PasswordsBy Zak Doffman<\/a><\/p>\n Passkeys<\/a>, it says, “are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) \u2014 no password required.\u201d Put simply, this links account security to hardware security, and means there are no passwords to steal or two-factor authentication (2FA) codes to bypass or intercept.<\/p>\n While that is critical for Gmail users, it\u2019s actually much wider. Google reached out to me after that article, to emphasize that the benefits are more significant for users: Adding a passkey to a Google account protects all the services and accounts that can be accessed by that sign in. Conversely, not doing so leaves all those other accounts at risk.<\/p>\n Even if most user accounts were secured by passwords and 2FA codes, there would still be a push to passkeys. And while Google, Microsoft and others make 2FA mandatory, the reality is that there\u2019s still a risk that codes can be shared even if they can\u2019t be stolen. That was the crux of the latest Gmail attack, tricking users into sharing codes.<\/p>\n Scams and Protections (June 2025)<\/p>\n Google \/ Morning Consult<\/p>\n The raft of headlines around a new 16 billion record data breach<\/a> should focus minds, even if \u201cthis is not a new data breach, or a breach at all,\u201d says Bleeping Computer<\/a>. \u201cThe websites involved were not recently compromised to steal these credentials.\u201d<\/p>\n Mashable<\/a> agrees. \u201cSome commentators were quick to call it the largest password leak in history, and in terms of raw records exposed, that\u2019s mostly, technically true. However, these records did not come from a single breach \u2014 or even a new breach. Instead, they came from many smaller ones,” with \u201cthe end result more a \u2018greatest hits\u2019 rather than a new, noteworthy hack.\u201d Albeit that doesn\u2019t change the fact the data is out there.<\/p>\n Kaspersky<\/a> says \u201cthe journalists haven\u2019t provided any evidence of existence of this database. Therefore, neither Kaspersky\u2019s experts nor anyone else has managed to analyze it. Therefore, we cannot say whether yours \u2013 or anyone else\u2019s \u2013 data is in there.\u201d<\/p>\n But, regardless, Google\u2019s latest survey still paints a bleak picture. Although \u201c60% of U.S. consumers say they \u201cuse strong, unique passwords,\u201d less than 50% \u201cenable 2FA.\u201d<\/p>\n The truth is that the only form of simple 2FA is SMS codes, which are sent quickly without having to exit the app or click or tap. They even autofill and often auto-delete. But SMS is woefully insecure, it\u2019s the worst possible 2FA option<\/a>. And anything else \u2014 authenticator apps, physical keys, even trusted device or app sign-ins \u2014 is more painful.<\/p>\n Passkeys are the opposite. They\u2019re even easier than passwords and SMS 2FA. The code (which you never see) combines your login ID, password and 2FA into a simple sign-in process authenticated by your device security \u2014 ideally biometrics. And because there is no code you can see or copy, you can\u2019t share the passkey even if you want to. Even if any of the underlying code is stolen, it only works on your actual device.<\/p>\n Google is right \u2014 this is about much more than Gmail, even if those email account attacks generate headline after headline. While there are some misgivings about the dominance and data overreach in big tech using its span of control to sign you into multiple services, even those they don\u2019t own or control, it is more secure.<\/p>\n As Kaspersky suggests, \u201clet\u2019s set skepticism aside. Yes, we don\u2019t reliably know what exactly this leak is, or whose data is in it. But that doesn\u2019t mean you should do nothing. The first and best recommendation is to change your passwords,\u201d which is an obvious immediate step. But it doesn\u2019t solve the problem.<\/p>\n