Up to 1 Million Gmail Users Affected in Massive Phishing Attack

Google downplayed the enormity of the scam in a series of statements.

Sundar Pichai, Google's CEO, speaks on stage during a Google event in January 2017. (Cathal McNaughton / Reuters)

A sophisticated scam against Gmail users on Wednesday afternoon may have affected as many as 1 million people, Google suggested in a statement late Wednesday night.

“We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation,” Google said in a statement emailed by its communications team. “We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1 percent of Gmail users.”

Google’s characterization is somewhat misleading, however, given the massive scale of its business. Gmail said it had more than 1 billion monthly active users last year. So if “fewer than 0.1 percent” of its users were affected by Wednesday’s phishing scam, that implies  somewhere around 1 million users were affected.

The widespread attack replicated through people’s Gmail contacts when they clicked on a bogus Google Doc that appeared to have been shared by a known contact. Part of what was so startling about the scam was how convincing it was. That’s because hackers used a deceptively named web app—working from within Google’s system for developers. By calling a malicious third-party app “Google Docs,” the attackers were able to trick people into thinking they were being asked to click on a legitimate document, when in fact they were granting account access to hackers.

“The key difference between this and a very simple email phishing scheme is that this doesn’t just take you to a bogus Google page and collect your password—  something you could detect by checking the page URL,” Adi Robertson wrote for The Verge.

The other mystery about the attack was what it intended to do. Many phishing schemes are designed to steal people’s passwords or other sensitive information, but Google says no data other than contact information was exposed in the attack.

Google was able to halt the scam within “approximately one hour,” a spokesperson said.

To double check the security of a Gmail account—and to revoke access to any third-party apps, including if you inadvertently clicked on a fake document yesterday—visit Google’s Security Checkup page.