Google denies reports that 2.5 billion Gmail users were impacted by security issue

Gmail users have been sweating over security recently, after Google reportedly sent notifications to its 2.5 billion users warning of a serious security issue. Now Google is denying these reports, reassuring users that Gmail's security is "strong and effective." It turns out that all that alarm may have simply been the result of misinformation.

In a blog post on Monday, Google officially refuted claims that its popular email service Gmail had recently suffered a massive security breach.

"Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue," Google wrote. "This is entirely false."

While Google's post doesn't explicitly lay out the claims it refers to, the statement appears to address sweeping security notifications it allegedly sent to Gmail's 2.5 billion users in late July and early August. These notifications reportedly warned of an increase in phishing attacks, as well as a hack which put all Gmail users at risk. Mashable and multiple other outlets reported on the story last week, warning Gmail users to change their passwords.

Such reports may have left some Gmail users scratching their heads, having not received any such notification from Google. As 2.5 billion encompasses Gmail's entire active user base, one would expect every user to receive Google's warning.

It now seems that the security issue at the heart of this tale may not have been the enormous breach that was claimed, and far fewer people were impacted than was first believed.

You probably weren't impacted by the Gmail security breach

While Google did experience a security incident in recent months, it concerned the company's corporate Salesforce server in June (Salesforce offers customer relationship management software). Google stated last month that, upon breaching the server, the hacker was only able to retrieve publicly available business information before they were ejected. Such information included business names and contact details, which isn't exactly private or sensitive information.

Google further noted that those impacted by the incident were being informed, with everyone having been notified by early August. While the company did not state how many users were affected, it appears to have been a far smaller number than the 2.5 billion initially reported.

Like any good rumour, there is a kernel of truth to this story. In July, Google did publish a blog warning that phishing attacks have been intensifying. However, the post did not reference any specific attack, and merely offered the general information to contextualise new security features it was announcing to protect against such intrusions. Gmail users aren't in any more danger from hackers than they usually are, and certainly not due to a breach of Google's Salesforce server.

"While it’s always the case that phishers are looking for ways to infiltrate inboxes, our protections continue to block more than 99.9% of phishing and malware attempts from reaching users," Google wrote in its Monday post. "Our teams invest heavily, innovate constantly, and communicate clearly about the risks and protections we have in place. It’s crucial that conversation in this space is accurate and factual."

In addition to emphasising its own efforts, Google further took the opportunity to encourage users to remain vigilant about their online security, recommending that they keep an eye out for phishing attacks and use password alternatives such as passkeys.

Fortunately, there's no harm done if last week's news sent you rushing to change your Gmail password. In fact, it's generally considered good practice to change up your password now and then. Just consider this a reminder to stay on top of your security hygiene, and breathe a sigh of relief that this breach was nowhere near as serious as some others have been.