On August 5, 2025, Google announced on its Google Cloud blog a metadata leak that impacted Gmail, the world’s most used email service. Although the company assured that user passwords were not compromised, the breach has acted as a catalyst for a wave of unprecedented cyberattacks spreading to Outlook/Hotmail, Yahoo Mail, and millions of corporate and local provider email servers.
The scale of the incident, along with its collateral effects, has highlighted a worrying reality: email remains one of the weakest points in global digital security, despite being an essential tool for over 4 billion users worldwide.
Gmail: a leak that triggered the domino effect
Google’s transparency was key: it acknowledged that the leaked data did not include passwords, but did contain sensitive information about account usage. With these metadata (locations, access habits, common devices, IP addresses), attackers launched highly plausible targeted phishing campaigns.
On Reddit and cybersecurity forums, users reported calls from supposed Google agents requesting a “account reset” as a security measure. Simultaneously, emails started circulating with logos identical to those of Google, aimed at high-value corporate profiles.
- Potentially exposed users: 1.8 billion.
- Main attack vector: phone and email phishing.
- Immediate consequence: credential theft and account lockouts.
Outlook and Hotmail: the most fragile corporate link
With over 400 million active users, Microsoft’s email services have become the primary business target for attackers. The problem is twofold:
- Outlook is often linked to Microsoft 365, providing access to Teams, OneDrive, and SharePoint.
- The corporate environment is especially attractive because a single compromised mailbox can open the door to the entire organization.
Among the most common detected attacks are:
- Fake “account lock” emails demanding credential revalidation.
- Malicious attachments disguised as invoices or shared documents.
- Fake Microsoft security alerts with links to cloned portals.
Yahoo Mail: old accounts, but still valuable
Although Yahoo is no longer the powerhouse it once was, its 220 million active users remain an attractive target. Most compromised accounts are linked to old registrations on forums, online stores, or secondary services, widening the attack surface for cybercriminals.
The risk here is the cascade effect: many users keep their Yahoo addresses as recovery accounts for more modern services, facilitating identity takeover attacks.
What about proprietary email servers? The double-edged sword
More and more companies opt to manage their own email on dedicated servers or private cloud (using Postfix, Dovecot, Zimbra, On-premise Exchange, etc.). The advantage is data sovereignty and full control over infrastructure. The problem: security relies almost entirely on the system administrator.
Main risks on proprietary servers
- Internal phishing: a compromised mailbox can be used to send spam from the domain.
- Spoofing: without proper SPF, DKIM, and DMARC configurations, it’s easy to fake addresses.
- Brute force: millions of automated attempts to crack weak passwords.
- Software compromise: exploits in Postfix, Exim, or Exchange that are unpatched.
- Blacklist reputation: if the server is used for spam, the domain/IP gets globally blocked.
Essential best practices
- SPF, DKIM, and DMARC: basic configurations to protect the domain.
- Mandatory TLS: encrypt connections between client-server and server-server.
- Fail2ban and WAF: protection against brute-force attacks and web exploits.
- 24/7 monitoring: review logs, accesses, and anomalies.
- Passkeys and 2FA: eliminate passwords as the sole point of failure.
- Periodic backups: offline copies for recovery after an attack.
Comparison: who are the most exposed
| Email Service | Active Users | Main Attack Vector | Current Risk Level |
|---|---|---|---|
| Gmail | 1.8 billion | Targeted phishing, fake calls | Very high |
| Outlook/Hotmail | 400 million | Fake emails + malicious attachments | High |
| Yahoo Mail | 220 million | Impersonation + old accounts | Medium-high |
| Own servers | N/A (millions of companies) | Weak configurations + spoofing | Variable (depending on management) |
Lessons learned: dangerous concentration and dependency
The Gmail incident shows that three companies (Google, Microsoft, and Yahoo) control over 80% of global personal email. A single breach could risk more than 2.5 billion users.
The alternatives include:
- Diversify services: use custom domains and sovereign providers.
- Standardize advanced security measures (SPF, DKIM, DMARC, MTA-STS).
- Adopt passkeys as a universal standard.
- Continuous training: users remain the weakest link.
Immediate recommended actions for any user
- Enable passkeys or 2FA.
- Review session and device activity.
- Change repeated passwords.
- Use password managers.
- Never share credentials via phone or email.
- Check if your email is in leaked databases.
Expanded Frequently Asked Questions
1. Were passwords leaked in Gmail?
No. Only metadata, but enough to launch credible phishing attacks.
2. Were Outlook and Yahoo also compromised?
No recent breaches confirmed, but massive phishing campaigns followed Gmail’s leak.
3. Is it safer to have email on a private server?
Depends on management. Properly configured, it offers sovereignty; poorly managed, it can be more insecure.
4. What should I do if I run my own email server?
Configure SPF, DKIM, DMARC, use TLS, monitor access logs, and patch regularly.
5. Should I migrate to passkeys now?
Yes. Google, Microsoft, and Apple are pushing this standard as a password replacement.
6. What if I get a call from someone impersonating Google or Microsoft?
Hang up. No company asks for credentials over the phone.
7. How do I know if my email is compromised?
Tools like “Have I Been Pwned” or Google’s Security Checkup can help.
8. Can I trust automatic spam filters?
They help, but are not foolproof. Human judgment remains necessary.
9. What to do if my account is taken over?
Contact support, recover with secondary authentication, and review recent accesses.
10. Why do hackers still use email as an attack vector?
Because it is universal, cheap to exploit, and still the most used tool for digital communications.
11. What is the difference between phishing and spear phishing?
Massive and generic versus targeted with personalized information.
12. Which companies are at higher risk?
All, but especially banks, law firms, clinics, and tech companies: sectors holding sensitive data.