Google has 1.8 billion Gmail users worldwide, and the company recently issued a major warning to all of those users about a “new wave of threats” to cybersecurity, given the advancements in artificial intelligence.
Earlier this summer, Google issued an important warning to all of its users about a new form of cybersecurity attack called “indirect prompt injections.”
The new threat puts individuals, businesses, and even governments at risk.
Google issues red alert to 1.8 billion Gmail users.
This warning reveals a hack where cyber criminals are using AI versus AI.
@scottpolderman Google issues red alert to 1.8 billion Gmail users. This warning reveals a hack where cyber criminals are using AI versus AI. #gmail #redalert #hacker #iphonetips
A New Threat Emerges
In an extensive blog post recently, Google issued a warning to all of its users about a new threat: indirect prompt injections.
“With the rapid adoption of generative AI, a new wave of threats is emerging across the industry with the aim of manipulating the AI systems themselves. One such emerging attack vector is indirect prompt injections,” Google wrote in its blog.
“Unlike direct prompt injections, where an attacker directly inputs malicious commands into a prompt, indirect prompt injections involve hidden malicious instructions within external data sources. These may include emails, documents, or calendar invites that instruct AI to exfiltrate user data or execute other rogue actions,” the blog post continued.
The Google blog post warned that this puts individuals and entities at risk.
“As more governments, businesses, and individuals adopt generative AI to get more done, this subtle yet potentially potent attack becomes increasingly pertinent across the industry, demanding immediate attention and robust security measures,” the blog post continued.
New Gmail Security Alert For All 2.5 Billion Users — Steps To Take Now
This story, originally published on August 11, has been updated with additional mitigation advice following the new wave of Gmail security alerts as users warn of a hybrid attack employing email and phone calls in an attempt at account takeover.
Google has already admitted that it is under attack from hackers thought to be part of the ShinyHunters extortion group, confirming a data breach that followed a successful compromise of a Google Salesforce database. Users of Google Cloud do not escape the security warnings either, with an advisory posting providing details of an attack path using what are known as dangling buckets to steal data and distribute malware. Gmail users cannot relax either, as they are also firmly in the hacker crosshairs.
This triad of cybersecurity incidents is completed as Gmail users take to online support forums to report a wave of new attacks. This time, the attackers are adopting a hybrid approach that includes phone calls and email messages, all purporting to be from official Google support staff. As convincing as they are dangerous, here’s what 2.5 billion Gmail users need to know and do about the security scams.
Expert Explains The Threat
During a recent interview with The Daily Record, tech expert Scott Polderman opened up a bit about the threat, explaining that a scam involves the use of another Google product, Gemini, an AI assistant known as a chatbot.
“So hackers have figured out a way to use Gemini – Google’s own AI – against itself,” Polderman told The Daily Record. “Essentially, hackers are sending an email with a hidden message to Gemini to reveal your passwords without you even realizing.”
“These hidden instructions are getting AI to work against itself and have you reveal your login and password information,” he continued.
Polderman explained why people are particularly susceptible to the threat.
“There is no link that you have to click [to activate the scam],” Polderman said. “It’s Gemini popping up and letting you know you are at risk.”
Gmail Security Alert For All 2.5 Billion Users
With an estimated 2.5 billion users, or around 30% of the world’s total population, it’s hardly surprising that cybercriminals are interested in hacking Gmail. After all, your email is a treasure trove of useful data that can be employed in further attacks. All email platforms are vulnerable to hacking, but Gmail, like Microsoft Windows, stands out due to its massive user base.
The latest round of attack warnings comes courtesy of postings to the Gmail subreddit, which describe in detail how scammers are impersonating Google in attempts to initiate an account password reset and take over your email inbox. I have reported on such attacks before, and the recent spike appears to follow the same methodology. The victims first receive a phone call from someone claiming to be from Google support, warning them that an unknown party has attempted to hack their Google account. The caller advises that a password reset is required to stop the so-called attack and protect the user from harm.
This is where the second part of the hybrid scheme comes into play, sending an account reset email to the user. The con itself is a simple one: that password reset email to your Gmail account includes a security verification code to prove it’s you trying to change the password. The attacker encourages the victim to read the code out over the telephone so that “Google support” can reset the victim’s account and protect them from the consequences of the “ongoing attack.” Of course, all they are really doing is hacking your account in real time, while on the phone with you.
Google Rolls Out New Security Measures
The good news is that Google is already moving forward with some new security measures to help keep its users safe from these threats.
“Google has taken a layered security approach introducing security measures designed for each stage of the prompt lifecycle. From Gemini 2.5 model hardening, to purpose-built machine learning (ML) models detecting malicious instructions, to system-level safeguards, we are meaningfully elevating the difficulty, expense, and complexity faced by an attacker,” Google wrote in its blog.
“This approach compels adversaries to resort to methods that are either more easily identified or demand greater resources.”
Google itself has said that the number of password-stealing threats delivered by email increased by 84% last year, a trend that it confirmed has “only intensified in 2025.”
Mitigating The Latest Gmail Account Attacks
Google has published a helpful guide with advice on how to tell if a Google security alert is genuine, but users are also advised to implement the following three account attack mitigation steps as a matter of some urgency.
The Google Security Checkup is, in my never humble opinion, the most efficient and effective way to ensure that the right security protections are in place to defend your account. It does this by checking what you have activated, and advising about issues that could leave you at risk. It is a fully automatic process, at least as far as checking your account is concerned, but you will need to follow the provided links to change settings as recommended.
Google’s Advanced Protection Program ensures that additional checks are made to help prevent even the most determined hackers from gaining access to your Gmail account. Checks such as blocking potential harmful downloads, restricting non-Google apps from accessing data from your Gmail account, and imposing additional steps into the account recovery process to prevent sophisticated attackers to stop hackers taking control.
And finally, using a Google passkey really can stop most account takeover attacks stone dead. “Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication,” a Google spokesperson
Gmail is available worldwide. Less than 3 issues were reported in the last hour. Stay informed about the latest Gmail outages (up or down) and service disruptions with our up-to-date community-based monitoring tool.
Critical security alert Google? Yes, it’s a useful security feature that intends to warn you about suspicious activity on your account. However, hackers can abuse it and launch phishing attacks against users to get their personal information.
Read Next
- Pingback: Is Gmail Down? Gmail warning today - TikTok Tutorial & Solve