Republished on June 23 with an update on the new “record breaking” password leak, and a critical password reset warning for all Google users.

Google has confirmed another atack on Gmail users this week. Yet again, its own infrastructure has been exploited to compromise user accounts. And yet again, it comes with another warning for users to upgrade their accounts — this is now a must.

Earlier this month, I covered Google’s warning that most of its users still only use basic password security and are wide open to data breaches and attacks. “We want to move beyond passwords altogether," Google said, pushing users to replace them.

Passkeys, it says, "are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.” Put simply, this links account security to hardware security, and means there are no passwords to steal or two-factor authentication (2FA) codes to bypass or intercept.

While that is critical for Gmail users, it’s actually much wider. Google reached out to me after that article, to emphasize that the benefits are more significant for users: Adding a passkey to a Google account protects all the services and accounts that can be accessed by that sign in. Conversely, not doing so leaves all those other accounts at risk.

Even if most user accounts were secured by passwords and 2FA codes, there would still be a push to passkeys. And while Google, Microsoft and others make 2FA mandatory, the reality is that there’s still a risk that codes can be shared even if they can’t be stolen. That was the crux of the latest Gmail attack, tricking users into sharing codes.

The raft of headlines around a Cybernews report into a new 16 billion record data breach should focus minds, even if it’s “not a new data breach,” per Bleeping Computer “the websites involved were not recently compromised to steal these credentials.”

Mashable agrees. “Some commentators were quick to call it the largest password leak in history, and in terms of raw records exposed, that’s mostly, technically true. However, these records did not come from a single breach — or even a new breach. Instead, they came from many smaller ones," with “the end result more a ‘greatest hits’ rather than a new, noteworthy hack.” Albeit that doesn’t change the fact the data is out there.

Kaspersky says “the journalists haven’t provided any evidence of existence of this database. Therefore, neither Kaspersky’s experts nor anyone else has managed to analyze it. Therefore, we cannot say whether yours – or anyone else’s – data is in there.”

Cybernews has now responded to the viral media response to its article, including the clarifications. “We didn’t expect the hype when we were writing the article. Data breaches and even the biggest-ever data leaks, unfortunately, have become somewhat mundane, and people don’t seem to care that much.”

The team also says “we’re not exaggerating this — if anything, we aren’t doing enough as journalists and users to hold those companies accountable by putting them in the spotlight.” And that’s unarguably right. These are still leaked passwords.

“If your passwords ever get leaked,” Cybernews says in an update to its article, “the damage can go way beyond just one account. Hackers can use that info to mess with your life in all kinds of ways. In the worst cases, they can even take over your digital identity. Once someone gets into your email, for example, they can reset passwords for other accounts and gain access to pretty much everything.”

And that’s exactly why Google says its users should upgrade the security of their accounts. Protecting Gmail also protects everything your Gmail account opens up.

But the onus is on users to change account security. We’re some way off mandatory passkeys, albeit that needs to come just as mandatory 2FA is now more common. That said, Google’s latest survey paints a bleak picture. Although “60% of U.S. consumers say they “use strong, unique passwords,” less than 50% “enable 2FA.”

The truth is that the only form of simple 2FA is SMS codes, which are sent quickly without having to exit the app or click or tap. They even autofill and often auto-delete. But SMS is woefully insecure, it’s the worst possible 2FA option. And anything else — authenticator apps, physical keys, even trusted device or app sign-ins — is more painful.

Passkeys are the opposite. They’re even easier than passwords and SMS 2FA. The code (which you never see) combines your login ID, password and 2FA into a simple sign-in process authenticated by your device security — ideally biometrics. And because there is no code you can see or copy, you can’t share the passkey even if you want to. Even if any of the underlying code is stolen, it only works on your actual device.

Google is right — this is about much more than Gmail, even if those email account attacks generate headline after headline. While there are some misgivings about the dominance and data overreach in big tech using its span of control to sign you into multiple services, even those they don’t own or control, it is more secure.

As Kaspersky suggests, “let’s set skepticism aside. Yes, we don’t reliably know what exactly this leak is, or whose data is in it. But that doesn’t mean you should do nothing. The first and best recommendation is to change your passwords,” which is an obvious immediate step. But it doesn’t solve the problem.

“Use passkeys wherever possible,” Kaspersky also advises. “This is the modern passwordless method of logging into accounts, which is already supported by Google, iCloud, Microsoft, Meta and others.”

Google tells its users that “when you pair the ease and safety of passkeys with your Google Account, you can then use Sign in with Google to log in to your favorite websites and apps — limiting the number of accounts you have to maintain.”

In the meantime, Google and Apple users in particular — but others as well — will need to watch for inevitable texts and emails warning that passwords have been stolen and need to be reset, citing news of this record data breach. Those messages will include links to reset passwords or numbers to call account helplines.

Any such messages are malicious fakes and should be deleted right away. Google will never reach out to its account holders in this way, and any such outreach is an attack. The company has asked me to “please reiterate to your readers that Google will not contact you to reset your password or troubleshoot account issues.”

The FBI warns the same: “Legitimate customer, security, or tech support companies will not initiate unsolicited contact with individuals."

If you receive any form of password reset message, you must access your account in the normal way. If there’s an issue you’ll be directed to a password reset option. Never do this by way of a link, unless you personally requested a password reset using a normal channel and a reset link is then sent to your email or phone number.

Meanwhile, regardless of the provenance of this latest breach news, Cybernews is right when it says “the collection of datasets shows the scale of the problem — billions and billions of passwords and trillions of records, including very private medical, location, and financial data, spill online every day.”