Gmail users attacked by hackers, Google confirms: Here’s what you can do to safeguard your account

Gmail

If you use Gmail, here’s a heads-up: Google has confirmed that hackers have launched a new kind of attack that could put your account at risk, even if you think you’re being careful.

The attack, which was uncovered by Google’s Threat Intelligence Group and Citizen Lab, is linked to Russian state-backed hackers. They managed to trick high-profile targets by using what looked like real U.S. State Department email addresses. The emails included calendar invites and PDFs. And that’s where the trap was set.

Once the victim clicked the PDF, it asked them to visit a real Google URL: https://account.google.com. It seemed trustworthy. But the goal was to get users to create something called an App-Specific Password (ASP)—a special 16-digit password meant for apps that don’t support two-step verification.

Then, the hackers told victims to share a screenshot of this ASP in order to "open the document." Once the attacker had it, they used the ASP to log into the user’s Gmail account without needing any extra verification.

Here’s the scary part: these ASPs are created and controlled by users. Unless you know you’ve been targeted, you wouldn’t think to revoke them.

What you should do now:

--Don’t use App-Specific Passwords unless absolutely necessary. Google now says these are outdated and not needed in most cases.

--Never share an ASP, no matter how convincing a message looks.

--Stick to “Sign in with Google” when linking third-party apps to your account—it’s safer and more secure.

If you’re in a sensitive job, or consider yourself a potential high-value target, consider enrolling in Google’s Advanced Protection Program. It’s built for people who need extra account security.

Even if this attack was aimed at a small group, the method could be used in larger scams soon. So stay alert, and never share special passwords or access codes—no matter how real the request looks.