A sophisticated scam against Gmail users on Wednesday afternoon may have affected as many as 1 million people, Google suggested in a statement late Wednesday night.
“We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation,” Google said in a statement emailed by its communications team. “We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1 percent of Gmail users.”
Google’s characterization is somewhat misleading, however, given the massive scale of its business. Gmail said it had more than 1 billion monthly active users last year. So if “fewer than 0.1 percent” of its users were affected by Wednesday’s phishing scam, that implies somewhere around 1 million users were affected.
The widespread attack replicated through people’s Gmail contacts when they clicked on a bogus Google Doc that appeared to have been shared by a known contact. Part of what was so startling about the scam was how convincing it was. That’s because hackers used a deceptively named web app—working from within Google’s system for developers. By calling a malicious third-party app “Google Docs,” the attackers were able to trick people into thinking they were being asked to click on a legitimate document, when in fact they were granting account access to hackers.