More than a million people were affected by the Google Docs phishing attack

The Google Doc phishing scam that started spreading Wednesday compromised more than one million Gmail users.

“We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1 percent of Gmail users,” a spokesperson said in a statement. “We were able to stop the campaign within approximately one hour.”

There were one billion active Gmail users every month as of February 2016, a figure that has undoubtedly increased since.

Gmail users started tweeting on Wednesday about the scam, in which email address hhhhhhhhhhhhhhhh@mailinator.com sent messages to users under the name of someone in their address book, inviting them to view what appeared to be a Google Doc.

If you clicked, the hacker gained access to your emails and email contacts, and was able to send and delete emails in your account, according to the Electronic Frontier Foundation.

Google responded Wednesday by releasing a new security feature for Gmail on Android that warns users when they click on a suspicious link in an email.

The hack highlighted a flaw in Google’s security design. When you look at the list of apps with access to your Gmail account, the page doesn’t distinguish between apps that are made by Google and apps that aren’t.

In a case where the app in question is masquerading as a Google product such as Google Docs, this design creates problems.

Here’s the full statement from a Google spokesperson about the extent of the attack:

“We realize people are concerned about their Google accounts, and we're now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”

Additional reporting by April Glaser.

This article originally appeared on Recode.net.

Will you support Vox’s explanatory journalism?

Most news outlets make their money through advertising or subscriptions. But when it comes to what we’re trying to do at Vox, there are a couple reasons that we can't rely only on ads and subscriptions to keep the lights on.

First, advertising dollars go up and down with the economy. We often only know a few months out what our advertising revenue will be, which makes it hard to plan ahead.

Second, we’re not in the subscriptions business. Vox is here to help everyone understand the complex issues shaping the world — not just the people who can afford to pay for a subscription. We believe that’s an important part of building a more equal society. We can’t do that if we have a paywall.

That’s why we also turn to you, our readers, to help us keep Vox free. If you also believe that everyone deserves access to trusted high-quality information, will you make a gift to Vox today?

One-Time Monthly Annual

$5/month

$10/month

$25/month

$50/month

Other

$

Yes, I'll give $5/month

Yes, I'll give $5/month

We accept credit card, Apple Pay, and Google Pay. You can also contribute via