Whilst millions of Gmail passwords have not suddenly leaked, despite multiple reports, Google warns compromised security credentials are giving hackers access to accounts. Its advice is clear — if you have not done so already, make this account change now.
For the second time in just a few weeks, Google hit back as reports (1,2) suggested a massive new password leak. “Reports of a ‘Gmail security breach impacting millions of users’ are false. Gmail’s defenses are strong, and users remain protected.”
But just because the breach is not new does not mean it’s not dangerous. Google says users should “reset passwords when they are found in large batches like this.” In reality, don’t wait for a breach to turn up, while regularly changing passwords is no longer considered best practice, ensuring passwords are strong and unique certainly is.
But passwords will always be vulnerable to being leaked or stolen. “Attackers are intensifying their phishing and credential theft methods, which drive 37% of successful intrusions,” Google warns, and “an exponential rise in cookie and authentication token theft as a preferred method for attackers, with an 84% increase in infostealers.”
That’s why Google tells users that “adopting passkeys as a stronger and safer alternative to passwords” stops account password compromises.
And on that note, with these latest “Gmail security breach” headlines still swirling, there was some quieter, better news for Google and its billions of Gmail account holders.
“Google commands half of all passkey authentication activity,” Dashlane confirmed in its latest passkey adoption report. “A scale so dominant that including it in our top 20 would distort the competitive landscape for other services.” According to the password manager, “Google’s sheer volume dwarfs that of other platforms.”
This, it says, was driven “by a pivotal product decision: In October 2023, Google made passkeys the default login option for personal Google Accounts. This move effectively exposed hundreds of millions of users to passwordless authentication, creating the largest real-world deployment of passkeys to date.”
The result: “Google passkey authentications exploded by 352% over the past year.”
Unlike Microsoft, Google is not yet advocating for the complete deletion of passwords. But it does say that defaulting to passkeys means users can create complex passwords and multi-factor authentication options that don’t need to be as convenient as SMS.
As such, while adopting passkeys is the solution, it only works if you stop using your password — even if a password remains on the account (with MFA) as a back-up.
“Google’s approach demonstrates the power of defaults,” Dashlane says. “By making passkeys the path of least resistance rather than an opt-in security feature, Google transformed passkey adoption from a trickle into a flood.”