![\"Gmail](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/07\/1753889776_725_960x0.jpg\")
<\/p>\n<\/p>\n
Change your Gmail password now \u2014 Google warns users.<\/p>\n
SOPA Images\/LightRocket via Getty Images<\/p>\n
Update, July 30, 2025: This story, originally published on July 28, has been updated with confirmation of a second Google security update: Gmail passkey and Device Bound Session Credentials announcements are now joined by Project Zero reporting transparency changes.<\/p>\n
It\u2019s official: Google accounts are under attack<\/a>, and those attacks have spiked by an incredible amount. According to Google itself, it observed an 84% increase in Gmail two-factor authentication bypass attacks<\/a> across 2024 and has now confirmed that this \u201dhas only intensified in 2025.\u201d When it comes to the bigger picture, phishing and credential theft<\/a> are now behind more than a third of all successful Google account attacks<\/a>. But Google has been fighting back, and a July 29 announcement outlines a new security protection being offered to some, along with a warning for all users to change their passwords now.<\/p>\n ForbesUrgent Google Chrome Update Confirmed \u2014 Download And Restart NowBy Davey Winder<\/a><\/p>\n Change Your Gmail Password Now As Attacks Escalate<\/p>\n It is always refreshing to hear the largest of tech companies being honest about the security challenges they face, and Google certainly falls into this category. More so when you are talking about Gmail, with some 2.5 billion users worldwide, and under constant attack, like all large email platforms, from threat actors looking to compromise accounts.<\/p>\n \u201cAttackers are intensifying their phishing and credential theft methods,\u201d Andy Wen, senior director of product management at Google has warned, \u201cwhich drive 37% of successful intrusions.\u201d What\u2019s more, Wen continued, \u201cwe\u2019ve seen an exponential rise in cookie and authentication token theft as a preferred method for attackers.\u201d Thankfully, the Google announcement<\/a> does not stop there. Instead, it shares account security enhancements to mitigate just these types of attacks.<\/p>\n While the Google announcement itself is directed at Google Workspace customers specifically, the first of the recommendations forms a warning that all 2.5 billion Gmail users should heed: update your account from using a password to a passkey. The \u201cenhancement\u201d that Google is referring to here is that such passkeys support is now available, with \u201cexpanded admin capabilities to audit enrollment and restrict passkeys to physical security keys,\u201d to more than 11 million Google Workspace customers. That\u2019s important, of course, but please make the change from password to passkey regardless of whether you are using a paid-for or free Gmail account. The attackers, I can assure you, couldn\u2019t care less.<\/p>\n The other advice is strictly for those Workspace customers, however, and comes by way of an open beta of Device Bound Session Credentials to protect against those 2FA cookie bypass attacks mentioned earlier, as well as another beta, a shared signals framework, that will be offered to \u201cselect customers and partners\u201d later this year.<\/p>\n \u201cThese advancements can meaningfully enhance account security,\u201d Wen said, \u201cmarking a major step forward in defending against account takeovers for Google Workspace customers.\u201d<\/p>\n Forbes141 Million Data Breach Files Reveal Bank Statements And Crypto KeysBy Davey Winder<\/a><\/p>\n Device Bound Session Credentials provide users with enhanced post-authentication protection, Wen explained, by helping to ensure that only the originating device can access the active session which, therefore, reduces the risk of cookie theft and 2FA bypass. DBSC also provides stronger sessions integrity, Google said, by bolstering protections with \u201cmore granular account attributes when used together with context-aware access, even if an attacker obtains login credentials after the initial login.\u201d<\/p>\n Not Just Gmail \u2014 Google Announces Project Zero Transparency Changes<\/p>\n A July 30 announcement by the Project Zero team<\/a> is the second major confirmation of security changes from Google in as many days. Tim Willis, head of Google\u2019s Project Zero, founded in 2014 and tasked with uncovering zero-day security vulnerabilities, has confirmed that changes are being introduced to reduce the \u201cpatch gap\u201d or delay between funding a vulnerability and getting the fix to your devices.<\/p>\n The patch gap is, Willis admitted, a very complex issue to solve and goes beyond my oversimplistic description above. \u201cOur work has highlighted a critical, earlier delay: the upstream patch gap,\u201d Willis said, explaining that this covers the period between an upstream vendor having a fix and it getting integrated into \u201cdownstream dependents\u201d products that can be distributed to users. \u201cThis upstream gap significantly extends the vulnerability lifecycle,\u201d Willis warned.<\/p>\n Enter reporting transparency, or rather, Google Project Zero\u2019s reporting transparency trial. The existing core 90-day vulnerability disclosure deadline is going nowhere and will remain in effect, but it will be amended by an addition at the beginning of the process itself. As of today, Willis has confirmed, Google Project Zero will publicly share that a vulnerability has been discovered and do so within a week of it being reported to a vendor.<\/p>\n \u201cWe hope that this trial will encourage the creation of stronger communication channels between upstream vendors and downstream dependents relating to security,\u201d Willis concluded, \u201cleading to faster patches and improved patch adoption for end users.\u201d<\/p>\n ForbesDropbox App Warning Confirmed \u2014 Passwords Deleted If You Don\u2019t ActBy Davey Winder<\/a>
\nWhy All Users Should Update Gmail Accounts To Use Passkey Protection<\/p>\n