clock menu more-arrow no yes

What to do if your Google account was phished in today’s ‘Google Docs’ attack

Revoke access immediately.

South Korean Anglers Compete In The Ice Festival's Mountain Trout Competition Chung Sung-Jun / Getty

The massive phishing campaign targeting Gmail users that spread across the internet today has been disabled by Google.

The hack was carried out by sending an email that posed as an invitation to join a Google Doc by someone in your contact list.

When users clicked on the Google Doc link, they were sent to a page that actually goes to Google.com. It then requests permission for the app that the attacker wrote to access your Gmail account.

“The attacker was then given permission to read all your emails, view your contacts and send emails on your behalf and delete emails in your inbox without ever having your login information,” said Cooper Quintin, a staff technologist at the Electronic Frontier Foundation, who says he received over 400 emails from people who were compromised in the hour after news of the attack broke.

The hack works whether or not you’ve changed your password or have two-factor authentication enabled, said Quintin.

Here’s what to do if you have been (or think you have been) compromised by the attack:

  1. Go to your Google account management page.
  2. If you see an app called Google Docs, click on it to opt to revoke permission for the app to access your account.
  3. Then change your password, just to be safe.
  4. Enable two-factor authentication on your account as an extra precaution. Two-factor authentication is the option to text a code to a phone number on file for your account so only a person with both your password and your cellphone can access your account.

“It’s totally unclear what this app was doing,” said Quintin. “We still don’t know what the purpose of this phishing campaign was.”

It’s still okay to use Google Docs, since that service wasn’t compromised; the email merely pretended to be from Google Docs. Still, it’s probably best not to share any Google Docs with anyone today while people are still responding to the hack, said Quintin.

Here’s the statement from Google on the attack:

We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.


This article originally appeared on Recode.net.

Sign up for the newsletter Sign up for The Weeds

Get our essential policy newsletter delivered Fridays.