"Most Gmail Users Required to Make Changes: Decoding the Major Gmail Warning on 650 Traps, Password Limitations, and the Dawn of Passkeys"

"Most Gmail Users Required to Make Changes: Decoding the Major Gmail Warning on 650 Traps, Password Limitations, and the Dawn of Passkeys"

2025年08月27日 01:11

Introduction——The warning tone has intensified

"Most Gmail users should change their passwords." This strong expression has garnered attention because password-based takeovers remain effective and are "working" for attackers. Recently, "deception + reuse" has become quicker and more reliable than "advanced zero-click vulnerabilities." Google is also shifting its recommendation focus from **“password improvement” to “exit from password dependency (passkeys)”**. blog.google


What's Happening——Three Facts

  1. Corporate-related data breaches as a trigger
    In June, reports emerged that Google's Salesforce integration environment was targeted by attackers, leading to an increase in phishing/vishing (phone scams) using contact information as a foothold. Google explained that "passwords themselves were not included," but with “contact information + credibility portrayal”, it is not difficult to extract passwords later via phone or screen operations. PCWorldTom's Guide

  2. "650" Spoof Calls
    On Reddit, reports of calls claiming to be "Google Support" from 650 (California area code = impression of Google headquarters) continue. With prompts mimicking "official operations" like "reset your password now" or "confirm recovery email change", accounts are hijacked. Google never asks for passwords over the phone. Reddit

  3. User Reality of "Not Updating"
    Only 36% "regularly update passwords". The figure shown by a Google×Morning Consult survey also reflects the reality of password fatigue. Moreover, younger generations are transitioning to passkeys or social logins over passwords, gradually overwriting the very concept of “updating.” Morning Consult


Google's Message——"Change or Quit"

Google repeatedly emphasizes a two-pronged approach: **"If changing, make it strong, unique, and two-factor" and "if possible, switch to passkeys". Passkeys are highly resistant to phishing** and offer the same experience as device unlocking with fingerprints, face, or PIN, making them faster than traditional 2SV. The company also stresses the use of Security Checkup and the Advanced Protection Program. blog.googlePCWorld


Social Media Reactions——Three Camps: "Passkey Advocates," "Cautious," and "On-the-Ground"

  • Passkey Advocates: The community is generally positive, stating, "Transitioning to passkeys is the right path over 'new strong passwords'" and "Passkeys are the strongest against social engineering over the phone." The notion that not creating passwords itself is a countermeasure is spreading. Reddit

  • Cautious Camp: On the other hand, there are concerns about practical operations, such as "Recovery flow is uncertain" and "What about multiple devices and TV apps?" In passkey operations, there is a strong call for the combined use of backup devices, recovery codes, and physical keys. Ars Technica

  • On-the-Ground Camp: Specific reports of attempted fraud on Reddit are detailed. "Received a call from 650-**** claiming 'number change request'" and "Pressed for two-factor approval." The method of **"cleverly overlaying official notifications and UIs"** resonates with past high-value fraud cases.  


Action Plan: Immediately, Today, This Week

Immediately (5 minutes)

  • Do not respond to unknown calls, SMS, or emails. Google never asks for passwords over the phone.

  • Identify risky settings and weak/leaked passwords with Google Security Checkup.

  • Check **Gmail's "Recent Security Activity"** and force logout any unfamiliar logins. PCWorld


Today (15-30 minutes)

  • Change to unique, long new passwords for each service. At least 12-16 characters, with non-dictionary word sequences + symbols.

  • Switch two-factor authentication to app-based (Authenticator) or physical key (SMS as an alternative).

  • Update recovery email/phone and discard unnecessary backup codes. blog.google


This Week (60 minutes)

  • Convert Google account to passkeys (register on main devices, replicate on sub-devices).

  • Consider enrolling in Advanced Protection if you meet the requirements (journalists, operators, etc.).

  • For business use, review the security policy for the entire domain (SSO, device management, risk-based authentication). blog.googlePCWorld


How to "Detect" Spoof Calls

  • Do not trust calls from "650" unconditionally.

  • If the caller says **"immediately" or "this code verbally", it's 100% fake**.

  • Always call back from the official support contact. Do not click on SMS links.

  • Always verify if Google push approvals match your actions. Tom's GuideReddit


Frequently Asked Questions (FAQ)

Q. Do passwords disappear when using passkeys?
A. Existing passwords can be set to **"not used". It is practical to have a physical key or passkey on another device for recovery**. blog.google


Q. What about TV apps or old devices?
A. There are alternative routes like QR codes/temporary codes, but it is still a transitional period to "complete everything with passkeys". Operationally, a dual approach of passkeys + robust recovery methods is reassuring. Ars Technica


Q. What if it's already "leaked"?
A. Change reused locations comprehensively. Audit with a password manager and run Security Checkup several times. Pay special attention to phone-based deception. PCWorld


Conclusion——"Change" or "Graduate"

The headline news is **"Change", but the long-term solution is "Graduate (to passkeys)"**. With the reality of an **update rate of 36%**, it can be breached again with a single phone call or one link click. Let's proceed with both the "human-side update" of not responding to unknown contacts and the "technical-side update" of passkeys/strong two-factor##HTML_TAG_

← Back to Article List