Google has issued an emergency alert. It urged roughly 2.5 billion Gmail users to change their passwords immediately, as reported by Gulf News. The alert follows attacks tied to third-party Salesforce integrations. Google said attackers abused OAuth tokens in a Salesloft–Drift connection. They used those tokens to harvest business contact data. Criminals then used those details to fuel impersonation campaigns. Gmail update account warning ran across global outlets as administrators moved to contain the problem.
Timeline of the Security Campaign
Google’s Threat Intelligence Group reported the campaign ran from August 8 to August 18, 2025. Investigators saw attackers query Salesforce instances and extract names, email addresses and phone numbers. Google revoked the affected tokens. Google disabled the Drift Email integration. The company notified impacted customers. Google Gmail password warning phrases began to appear as users were told to check accounts closely, according to reports.
Risks and Phishing Threats
Google emphasised that core Gmail systems were not breached at scale. Security experts, however, warned that exposed contact data makes scams more convincing. Scammers impersonate support staff in phone calls and emails. They try to coax users into handing over one-time codes. They also try to trick users into installing malicious software. The heightened threat led media outlets to publish urgent guidance, as covered by Gulf News.
Targeted Attacks on Integrations
The intrusion shows attackers targeting integrations rather than brute-force Gmail logins. They ran structured SOQL queries to collect CRM fields. They searched fields for strings that might lead to keys and credentials. Salesloft and Salesforce published advisories. They removed or isolated the affected Drift integration. Administrators must revoke and rotate exposed tokens and keys.
Consumer Security Guidance
Google gave practical recommendations for consumers. Change your Google account password. Enable two-step verification or set up passkeys. Run the Security Checkup to review devices and app access. Consider Google’s Advanced Protection Program if you hold sensitive data. Google’s support pages explain how to change your password and run a password check. These steps reflect a clear Google password security warning, highlighted in media reports.
Act now if you are concerned. Sign in at myaccount.google.com and open Security. Under “How you sign in to Google,” select Password. Enter a strong, unique passphrase. Visit passwords.google.com and run the Password Checkup to identify reused or leaked credentials. Turn on two-step verification or enroll a passkey for device-bound login. These actions directly show how to check your Google password.
Enterprise Remediation Steps
Enterprise administrators face more complex remediation. Revoke Drift and Salesloft OAuth tokens. Rotate API keys and refresh credentials. Search audit logs for unusual UniqueQuery events and odd SOQL runs. Treat any token tied to Salesloft Drift as potentially compromised. Salesloft and Salesforce disabled the Drift integration to stop the primary attack path.
Security teams offer blunt advice for users. Do not hand out codes or passwords to callers who claim to be from Google. Do not follow links in unsolicited messages asking for verification. Go to account settings directly if you worry. For step-by-step help, use Google’s Help Centre pages rather than advice from unverified sources on social media. If needed, search for how to check your Google password there.
SaaS Ecosystem Vulnerabilities
The episode underscores how fragile interconnected SaaS ecosystems can be. Small configuration mistakes and broad permissions grant attackers deep reach. Organisations must enforce least privilege and shorten token lifetimes. Individuals should use unique passwords and a trusted password manager. Adopt passkeys where possible. Media coverage often framed the notices as a Gmail update account warning to drive quick action.
Media Coverage and Public Guidance
News outlets and security blogs reiterated the stakes and the practical actions users should take. Headlines carrying the Google Gmail password warning pushed many people to check their accounts within hours, as reported internationally. Analysts said Google’s guidance aims to prompt disciplined and immediate action. Reset weak passwords. Enable multi-factor protection. Run a password audit. Those simple steps respond to the public Google password security warning and lower the odds of account takeover.
Government and industry incident response teams amplified the same guidance. National CERTs urged organisations to treat any token tied to Salesloft Drift as suspect. They advised reauthenticating all affected connections. Public notices reinforced vendor advisories and spurred administrators to act.
Audits and Investigations
Administrators should run focused audits immediately. Look for unusual API calls and odd user agents. Search for SOQL queries that enumerate accounts. Revoke refresh tokens, rotate keys, and freeze suspicious service accounts. These steps match Google’s published containment playbook for OAuth-driven theft.
According to Google’s Threat Intelligence Group (GTIG), the unauthorized activity started on August 8, 2025, and continued until at least August 18, 2025. Google detected suspicious activity and began a coordinated investigation with partners and third-party vendors. Investigators traced the activity to automated queries issued through compromised OAuth connectors used by a chat integration. The actors removed query jobs in several cases to avoid easy detection in logs. Companies using the affected integration were asked to inspect their audit trails immediately. Security firms recommend exporting relevant logs and using forensic tools to search for indicators of compromise. Incident response teams urge rapid rotation of secrets and immediate revocation of long-lived tokens.
Organisations should engage their security vendors and, where required, open support tickets with platform providers. Customers with multi-tenant deployments must also verify that inter-tenant permissions remain correctly restricted. Regulators and industry groups are monitoring how the situation develops and may publish further guidance. Taken together, the technical details and vendor actions underscore the need for faster detection and robust operational controls. Users who suspect wrongdoing should preserve copies of suspicious messages and provide them to investigators and to their security teams.
How to Check Your Google Account Security
Individuals can check saved credentials at passwords.google.com and use the Security Checkup at myaccount.google.com/security. Those tools show saved passwords, reused entries and any passwords Google believes appeared in a breach. If you need help, use Google’s Help Centre. Search for how to check your Google password and follow Google’s step-by-step guidance.
The risk environment will not calm overnight. Threat actors sell and reuse contact lists. They scale phishing campaigns fast. Google issued a public notice to encourage a wide audience to act, as reported by Gulf News. The Google Gmail password warning and the Gmail update account warning referenced by some outlets provide the same practical advice. Change weak passwords. Enable multi-factor authentication. Review connected apps now.
Fast Path to Containment
Google’s guidance and the responses from Salesloft and Salesforce outline a fast path for containment and recovery. Follow the vendor steps. Revoke tokens. Rotate credentials. Harden access controls and monitor logs. The Google password security warning and the public Gmail update account warning are reminders that basic hygiene still blocks most attacks. Report suspicious messages to Google and to your national CERT.
Act now: secure your account, report suspicious messages, and inform your organisation’s security team, allowing them to investigate and contain threats without delay.
