Google Introduces Trusted Contacts for Gmail Account Recovery
Google has launched a new security feature for Gmail and Google accounts that allows users to designate trusted friends or family members as recovery contacts. This feature is designed to help users regain access to their accounts if they are locked out, for example, due to forgotten passwords, lost passkey devices, or account compromise. Users can select up to 10 trusted contacts, who must accept the request to serve in this role. When a user is locked out, they can initiate the recovery process, which involves sharing a code with their chosen contact. The contact receives a notification and must verify the request by selecting the correct code from a set of options, ensuring that only genuine requests are honored. This process uses number-matching authentication to reduce the risk of social engineering attacks. Google recommends that users choose contacts who are likely to respond quickly, as the recovery request expires after 15 minutes. The company also advises selecting individuals with strong cybersecurity awareness to minimize the risk of exploitation by attackers. The trusted contacts feature is part of Google’s broader push towards passkeys as the future of account authentication, addressing the challenge of device loss that can leave users unable to access their accounts. The recovery process is designed to be secure, with the contact unable to access the user’s account directly, but able to verify the user’s identity. Google Messages will also alert users to spam and help keep texts private, further enhancing account security. The setup process for recovery contacts is straightforward and can be completed on both desktop and mobile devices via the Google account security settings. This new method provides an additional layer of resilience for account recovery, supplementing existing options like email and SMS. The feature aims to reduce the frustration and risk associated with being locked out of critical accounts, especially as more users transition to passwordless authentication. Google’s approach balances convenience with security, leveraging personal trust relationships while maintaining technical safeguards. The company acknowledges that, while unlikely, sophisticated attackers could attempt to exploit the process, so user vigilance remains important. Overall, the trusted contacts feature represents a significant enhancement to Google’s account recovery options, providing users with more reliable and secure ways to regain access to their accounts.
Sources
Related Stories
Google Expands Android Theft Protection With Stronger Authentication and Identity Check
Google announced updated **Android Theft Protection** capabilities aimed at reducing account takeover and financial fraud risks following device theft, with availability starting on devices running **Android 16+**. The updates strengthen authentication safeguards by making **screen lock guessing** harder (longer lockout periods after repeated failed PIN/pattern/password attempts) and by improving controls around lock behavior after excessive failed authentications, including a dedicated settings toggle for *Failed Authentication Lock*. Google also expanded **Identity Check**—which requires biometric authentication for sensitive actions when the device is outside trusted places—to cover a broader set of actions and apps that use the **Android Biometric Prompt**, including third-party banking apps and **Google Password Manager**. In parallel, Android’s *Remote Lock* capabilities were highlighted as part of the theft-response toolset, giving users more control to lock a lost or stolen device and limit further misuse.
1 months agoGoogle Chrome Security Enhancements Against Account Takeover and Prompt Injection Threats
Google has introduced new layered security defenses in Chrome to address the growing risks of indirect prompt injection attacks and account takeovers, particularly as the browser integrates more agentic AI capabilities. Key features include the User Alignment Critic, which independently evaluates and vetoes potentially malicious actions by Chrome's AI agent, and Agent Origin Sets, which restrict the agent's data access to only relevant or user-approved sources. These measures are designed to prevent attackers from exploiting untrusted web content to hijack user sessions or exfiltrate sensitive data, and to mitigate site isolation bypasses that could compromise user privacy and security. In parallel, Google has acknowledged a surge in account takeover incidents targeting Chrome users, where attackers steal credentials, authentication codes, and session cookies to access synchronized data stored in the cloud. The company is urging users to strengthen their authentication methods and reconsider the use of browser-based password managers, as a single compromised account can expose a wide range of personal information. Google is also rolling out additional protections for Workspace accounts to counteract these threats and safeguard user data across its ecosystem.
3 months ago
Phishing Campaign Abuses Google Cloud Application Integration to Impersonate Google Emails
Cybercriminals have launched a sophisticated phishing campaign that exploits Google Cloud's Application Integration service to send emails that closely mimic legitimate Google notifications. By leveraging the service's "Send Email" task, attackers are able to distribute messages from the trusted `noreply-application-integration@google.com` address, effectively bypassing traditional email security measures such as DMARC and SPF. The phishing emails are crafted to resemble routine enterprise communications, including voicemail alerts and file access requests, increasing the likelihood that recipients will trust and interact with them. Over a two-week period, nearly 9,400 phishing emails targeted approximately 3,200 organizations across the U.S., Asia-Pacific, Europe, Canada, and Latin America. The attack chain employs a multi-stage redirection process to evade detection and maximize credential theft. Initial links in the emails direct users to legitimate Google Cloud URLs (`storage.cloud.google.com`), followed by a redirection to `googleusercontent.com` where a fake CAPTCHA is presented to bypass automated scanners. The final stage leads victims to a counterfeit Microsoft login page hosted on a non-Microsoft domain, designed to harvest user credentials. This campaign demonstrates the increasing abuse of trusted cloud infrastructure for phishing, highlighting the need for organizations to scrutinize even seemingly authentic emails originating from reputable domains.
2 months ago