Update: Google has issued a new statement, explaining that it's taking action to protect users against this phishing attack.
"We realize people are concerned about their Google accounts, and we're now able to give a fuller explanation after further investigation," a Google spokesperson told Refinery29. "We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup."
This story was originally published on May 3, 2017, at 4:20 p.m.
This afternoon, scores of people — mainly those who work in the media industry — reported receiving an email that looks something like this (this one's the one I got at 2:29 p.m.):
It's an invitation from an email address you've corresponded with (in my case, it was a friend of a friend with whom I've exchanged exactly one email) to view a Google Doc. What tipped me off to the fact that it was a scam? Mostly the weird multiple h's in the BCC field.
It's been reported that this appears to be a widespread phishing attack, with several IT experts describing it as "huge [and] startlingly fast-moving," according to The Atlantic. On Google's subreddit, engineers are saying that the issue appears to have just been resolved.
A Google spokesperson told R29: "We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."
It's unclear exactly what the purpose of this scam was, but phishing is often used to gain unauthorized access to private emails, accounts, and information. But if you're worried about your own account security, you can adjust your permissions on Google's security page by clicking "manage apps" and revoking access to untrusted apps. And, of course, never, never click on anything that looks even the slightest bit "phishy."
Most of those who were affected first noticed the scam around 3 p.m.
PSA: There's a pretty nasty phishing attempt hitting lots of newsrooms right now. It looks like a Google Docs request.— Alex Fitzpatrick (@AlexJamesFitz) May 3, 2017
There's a widespread Google Docs phishing scam affecting all kinds of people (e.g., not just gov't or journalists) today. Be careful.— Waldo Jaquith (@waldojaquith) May 3, 2017
I got a Google Doc invite from a BuzzFeed email address, clicked on it, and it spammed everyone I’ve ever emailed— Joe Bernstein (@Bernstein) May 3, 2017
Journalists being journalists, the phishing scam became an excuse to post meme upon meme.
the new Washington status marker is whether or not you got the phishing google doc— Rosie Gray (@RosieGray) May 3, 2017
"And I couldn't help but wonder... if he was willing to share a Google Doc, why wasn't he willing to share his life?" pic.twitter.com/jcRpu3bps5— Anne T. Donahue (@annetdonahue) May 3, 2017
I'd like to share a Google Doc with you pic.twitter.com/jPOuUDNOjY— David Mack (@davidmackau) May 3, 2017
When that Google Doc shows up in your inbox pic.twitter.com/DdHFEYUNHv— Alex Kantrowitz (@Kantrowitz) May 3, 2017
The latest statement from Gmail is that it is investigating the scam.
"We are investigating a phishing email that appears as Google Docs," according to the official Gmail Twitter account. "We encourage you to not click through, & report as phishing within Gmail."
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.— Gmail (@gmail) May 3, 2017
Like what you see? How about some more R29 goodness, right here?