Google says stories it has warned all Gmail users about a security issue with the service are highly misleading. It says claims of a major data breach affecting all users are wide of the mark.

The stories appeared to stem from a very genuine breach at Salesforce, a major operator of customer relationship management tools. It's suffered a number of successful targeted attacks in recent months. It's an attractive target as it handles data for numerous big name companies. (Source: withsecure.com)

Google Ads Data Affected

In many cases the attacks haven't involved software vulnerabilities but rather scammers posing as IT staff and tricking employees into completing an app setup page that creates a security code (presumably for remote access). The scammer could later use this code to make it easier to access databases without triggering multifactor authentication, as would normally happen when somebody outside of the company's network tries to login.

The confusion comes from the fact that one such attack saw the scammers get access to around 2.5 million records related to Google's advertising platforms. Google's own security team revealed the attack.

Many news sites reported the story and noted that although the breached data wasn't an immediate threat in itself (with no passwords exposed), it could make it much easier for further targeted attacks against businesses whose records were among those exposed. For example, it could allow scammers to pose more plausibly as Google employees and try to trick people into handing over login details.

Misleading Headlines

Some reports went a step further and either implied or stated that Google had specifically warned all Gmail users - of which there are reportedly 2.5 billion worldwide - to be alert. Most explained the story in full, but the headlines and introductions didn't always do enough to make it clear that the risks were not specific to Gmail or unique to this incident.

Google now issued a statement saying that "We want to reassure our users that Gmail's protections are strong and effective. Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false.

While it's always the case that phishers are looking for ways to infiltrate inboxes, our protections continue to block more than 99.9% of phishing and malware attempts from reaching users." (Source: blog.google)

What's Your Opinion?

Had you heard about the Salesforce breaches? Had you seen reports suggesting Gmail users were at particular or enhanced risk? Do overblown warnings matter if they result in better security practices by users anyway?