No we didn’t warn all Gmail users about imminent digital doom, says Google

Cybersecurity publications are rife with headlines about breaches and threats, but sometimes things aren’t always what they seem. In fact sometimes they’re plain wrong (remember toothbrushgate)? This week, Google highlighted another story that it said was fake – and this one was about its own services.

“Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false,” it said in a blog post debunking the claim.

The blog post doesn’t actually mention what the fake claim is, presumably in an attempt not to spread it. So we’re left guessing. What’s the biggest, scariest cybersecurity claim made about Google lately? Probably the one about Google warning 2.5 billion users about a recent attack on its systems.

The most difficult falsehoods to debunk are those where there’s a grain of truth. In this case there was an attack on Google’s systems. What’s at issue is how bad the attack was and what it did afterwards.

Here’s what happened. In June, Google was compromised by a group that it calls UNC6040 (the group is also widely known as ‘ShinyHunters’). This group targets companies that use the Salesforce enterprise software. It ‘voice phishes’ employees from those companies, impersonating IT staff and persuading them to enter their credentials on a web page. that page authorizes the intruders to access their Salesforce account, downloading sensitive data.

“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,” Google said in its blog post about the incident, adding that it had notified all users by August 8.

However, some have suggested that Google’s ShinyHunters compromise has put 2.5 billion users at risk from phishing attacks, and that Google sent out an emergency warning to them. That story appears to have gone viral, and Google says it’s wrong. It didn’t send out that warning, and in spite of the attack on its systems, most of its users aren’t at any more risk than they were before.

“While it’s always the case that phishers are looking for ways to infiltrate inboxes, our protections continue to block more than 99.9% of phishing and malware attempts from reaching users,” the company said in its refutation.

The cybersecurity press is prone to sensational headlines. But publishing clickbait helps no one in the end, of course, because people can only stand so much panic. Eventually they’ll switch off, making it more difficult for legitimate, measured security alerts to make it through.

The fact that Google users aren’t in imminent elevated danger doesn’t change the need for basic cybersecurity hygiene. As Google points out, potential attackers are always rattling our digital doorknobs. We should always be on our guard and make it more difficult for them to get in.

“As best practices for additional protection, we encourage users to use a secure password alternative like Passkeys, and to follow these best practices to spot and report phishing attacks,” it concluded.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.