
Hackers Can Access Gmail Without Stealing Your Password. Here's How.
A sophisticated hacking group bypassed traditional Gmail security by stealing OAuth tokens instead of passwords, revealing a critical gap in how we think about account protection.
Source
GetCyberRight Intelligence
Original headline: OAuth Gmail Access Myth Busted
Plain-English summary by GetCyberRight. Read the full report at the source above.
OAuth Gmail Access Myth Busted
A threat group called ToddyCat has shattered a common security assumption: that OAuth authentication makes Gmail accounts virtually unbreachable. Using malware named Umbrij, they've been accessing corporate Gmail accounts without stealing a single password. Instead, they exploit legitimate OAuth tokens that Google's own systems treat as authorized access.
The Details
Most people understand the basics of account security: use strong passwords, enable two-factor authentication, and watch for phishing emails. But ToddyCat's attack method bypasses all of these safeguards by targeting something different entirely.
OAuth tokens are digital permission slips that let applications access your accounts without needing your password. When you click "Sign in with Google" on a website, you're creating an OAuth token. These tokens are supposed to be secure because they're managed by Google itself, not stored on random websites.
Here's the problem: once ToddyCat's Umbrij malware infects a computer, it steals these OAuth tokens directly from the device. The malware then uses Google's official API (the legitimate tool developers use to build Gmail integrations) to access email accounts. To Google's systems, this looks completely normal. There's no failed login attempt, no suspicious password entry, and no phishing link that security training would help you spot.
Who Is Affected
This attack primarily targets professionals using corporate Gmail accounts, particularly those in organizations that might interest sophisticated threat groups. However, the technique itself works on any Gmail account that uses OAuth tokens.
Anyone who uses "Sign in with Google" for multiple services should understand this risk. If your computer becomes infected with malware, your OAuth tokens become potential targets. Home users, remote workers, and small business owners all fall into this category.
What You Should Do Right Now
Review your Google account's connected apps. Visit myaccount.google.com/permissions and remove access for any apps you don't actively use or recognize. Do this monthly.
Stay one step ahead of scammers
Weekly cybersecurity briefings for families. No spam, just the threats that matter and what to do about them.
Check your Gmail activity regularly. Go to gmail.com, scroll to the bottom, and click "Details" under "Last account activity." Look for access from unfamiliar locations or devices.
Update your computer's security software immediately. Ensure your antivirus and anti-malware tools are current and running automatic scans. This attack starts with malware infection.
Enable Google's Enhanced Safe Browsing. Go to myaccount.google.com/security and turn on this feature. It provides stronger protection against malicious downloads that could contain token-stealing malware.
Sign out of all devices periodically. In your Google account security settings, use "Manage all devices" to sign out of everything, then sign back in only where needed. This invalidates old tokens.
The Bigger Picture
This attack reveals an uncomfortable truth: sophisticated security systems create sophisticated attack surfaces. As we move toward passwordless authentication and token-based security, criminals are adapting their methods. The weakest link is often the device itself, not the authentication system. Staying informed about these evolving threats helps families make smarter decisions about device security, app permissions, and account monitoring.
How GetCyberRight Can Help
Our Awareness Hub tracks emerging authentication threats and account takeover techniques targeting cloud services like Gmail. We translate complex attacks like ToddyCat's OAuth exploitation into clear, actionable guidance for families. When new threats emerge that affect how you protect your accounts, we break down what changed and what you need to do differently.
Curated from trusted cybersecurity sources by GetCyberRight
Source: GetCyberRight IntelligenceStay ahead of cyber threats
Get our free weekly digest. Real threats, plain language, what to do about them. No spam, ever.
More articles
Why Passkeys Aren't Everywhere Yet (Hint: It's Not Your Fault)
Password managers took too long to add sharing features families actually need. That's why passkey adoption has been slower than expected.
4 min readPasskeys Sound Perfect, But There's a Catch Families Need to Know
Passkeys promise to replace passwords, but device-locking and family sharing create new problems. Here's what you need to know before making the switch.
4 min read
Major Security Flaw Exposed 75,000 Business Firewalls. Here's Why It Matters to You
A security flaw called FortiBleed left 75,000 firewalls vulnerable. If your employer, school, or service provider uses Fortinet, your data may be at risk.
2 min read
Major Security Flaw Left 75,000 Business Firewalls Wide Open
A security problem called FortiBleed exposed business networks for years. If your workplace uses Fortinet systems, ask IT about updates.
2 min read