Gmail Password Warning — You Have 7 Days To Act, Google Says

Forbes

02-05-2025

Update, May 2, 2025: This story, originally published May 1, has been updated with details of AI-powered threats that email users need to be aware of as Gmail password hackers attack.
It can't have escaped your attention that May 1 is World Password Day, when security experts and public relations organizations compete to see who can create the most ridiculous password-related stories to feed to the media and public alike. Yes, I'm cynical about the whole charade, as we should be taking password security seriously all year and not just on a designated day — preferably getting rid of them altogether and shifting to the more secure passkey option. It can't have escaped your attention that users of the world's most popular free email platform, Gmail, have been under attack from hackers who seek to compromise passwords and gain access to the valuable data that a Google account can hold. So, dear reader, my password story for May 1 has less to do with making your password stronger and everything to do with getting access to your Gmail account back after a Gmail password hacker has compromised it and locked you out. Google has said you have seven days — yes, a whole week — in which you can get that access back even if the attacker has changed your recovery telephone number.
As you might imagine, given my experiences as a hacker and the fact that I have been writing about cybersecurity matters for more than 30 years now, I receive a lot of emails and messages from people who have fallen victim to attacks and are looking for help. By far the most common of these pleas for help is along the lines of 'Gmail password hackers have compromised my account, changed the recovery options, password, two-factor authentication method, and locked me out — what the heck can I do?'
Unfortunately, these kinds of password-hacking compromises against Gmail users have become increasingly popular as threat actors of all types employ AI-driven attacks to access those highly valuable email accounts. Read on to discover how some of these AI attacks are evolving, as details emerge in a new Check Point Research report.
But first, and rather fortunately, Google is fighting back when it comes to offering both protection against these increasingly sophisticated attackers and help in recovering accounts if a user has fallen victim.
As long as you have had the forethought to provide a recovery telephone number or email address before the attack took place, then you have seven days in which you can regain access to your hacked Gmail account even if the attacker has changed them.
Everyone uses a seatbelt when driving or being driven because it has been proven to dramatically improve safety and reduce the chances of fatality if involved in an accident when compared to not wearing one. Now replace seatbelt with recovery options, car with Gmail account, and accident with incident to arrive at a similar conclusion: having a recovery telephone number in place improves your chances of getting your account back if a hacker attacks.
Likewise, using a phishing-resistant authentication technology, such as a passkey, instead of a password decreases the likelihood of an attacker being successful in the first place. To continue the motoring analogy, a passkey is like a car protected by driveway bollards and a remote kill switch rather than parking on the street and relying on an easily bypassed door lock.
'We recommend all users to set up a recovery phone as well as a recovery email on their account,' Gmail spokesperson Ross Richendrfer told me, 'these can be used in cases where users forget their own passwords, or an attacker changes the credentials after hijacking the account.'
And therein lies the rub for any hacker: if you are the original account holder, despite the best efforts of an attacker to lock you out of your own account by changing all the security options, you can get access back as long as you act within seven days. 'Our automated account recovery process allows a user to use their original recovery factors for up to 7 days after it changes,' Richendrfer said, 'provided they set them up before the incident.'
If you have found yourself locked out of your account following a Gmail password hack attack, Richendrfer said you can refer to the 'How to recover your Google account or Gmail' guidebook for step-by-step instructions on what to do next.
Analysts at Check Point Research have published details of AI-powered threats, no longer theoretical and very much right here and evolving rapidly, that put your Gmail password at risk. 'As access to Al tools becomes more widespread,' Lotem Finkelstein, director of Check Point Research, said, 'threat actors exploit this shift in two key ways: by leveraging Al to enhance their capabilities and targeting organizations and individuals adopting Al technologies.' It's the former that I'm concerned about in the context of this article about losing control of your Gmail account. It should go without saying, however, that the same AI threats apply to whatever email platform you use, and beyond to most online service accounts in fact.
The use of social engineering is the de facto tactic employed by most attackers looking to compromise a Gmail email account. Indeed, even those attacks that are looking to exploit a known security vulnerability will often begin by exploiting human nature first. These social engineering, or phishing, if you prefer, attacks will leverage every possible media type to convince the victim it is a genuine communication that needs to be interacted with as a matter of urgency. Be it by way of text, audio, or imagery, the phishing attacker will employ it. The problem is, as Check Point Research said, 'with recent advancements in AI, attackers can create authentic-looking materials at scale, conduct automated chats, and hold real-time audio and video conferences while impersonating others.' No wonder so many people are taken in, and so many passwords get compromised, leading to a Gmail account lockout.
The Check Point Report warned that AI-driven tools now proliferate on criminal forums, on the dark web, and in surface web criminal forums, leading to a critical compromise of our ability to rely upon audio and visual clues to determine fact from fiction. 'Fully autonomous audio deepfake tools for large-scale phone scams are already available,' Check Point said, 'meaning that recognizing a familiar face or voice is no longer sufficient proof of identity; instead, interactions must be reinforced by additional authentication measures.'
Don't let Gmail password hackers lock you out of your account. Be alert to every communication and question everything — no matter how realistic it looks or sounds.