The Google Doc phishing scam that started spreading Wednesday compromised more than one million Gmail users.
“We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1 percent of Gmail users,” a spokesperson said in a statement. “We were able to stop the campaign within approximately one hour.”
There were one billion active Gmail users every month as of February 2016, a figure that has undoubtedly increased since.
Gmail users started tweeting on Wednesday about the scam, in which email address firstname.lastname@example.org sent messages to users under the name of someone in their address book, inviting them to view what appeared to be a Google Doc.
If you clicked, the hacker gained access to your emails and email contacts, and was able to send and delete emails in your account, according to the Electronic Frontier Foundation.
Google responded Wednesday by releasing a new security feature for Gmail on Android that warns users when they click on a suspicious link in an email.
The hack highlighted a flaw in Google’s security design. When you look at the list of apps with access to your Gmail account, the page doesn’t distinguish between apps that are made by Google and apps that aren’t.
In a case where the app in question is masquerading as a Google product such as Google Docs, this design creates problems.
Massive oversight in allowing non-Google apps to call themselves Google, in Google's own web interface. Incredible. https://t.co/lZP3eGdnIy— SwiftOnSecurity (@SwiftOnSecurity) May 3, 2017
Here’s the full statement from a Google spokesperson about the extent of the attack:
“We realize people are concerned about their Google accounts, and we're now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”
Additional reporting by April Glaser.
This article originally appeared on Recode.net.