By Julie Bays, OBA Management Assistance Program Director

Every law firm depends on email. That is why a recent wave of reports about exposed Gmail credentials caught my attention. Gmail Passwords Confirmed Within 183 Million Account Infostealer Leak

While there was not a breach of Gmail’s internal systems, security researchers discovered a massive compilation of stolen usernames and passwords circulating online. Many of these login details were connected to Gmail and Google accounts.

The important point is this: attackers did not break into Google. Instead, they collected passwords from older data breaches, phishing emails, and malware on personal devices. Over time, these credentials were combined into a single, very large list. If any of your staff reused a password on more than one site, their Gmail account could be at risk even if Gmail itself was never compromised.

For law firms, this is a serious reminder to strengthen basic security habits. Lawyers routinely handle confidential client information, and email is often the gateway to everything else. A stolen password can give a bad actor access to client communications, cloud files, calendars, or even document-sharing systems.

Here are a few practical steps to consider:

• Change your passwords and make sure you use a unique password for each account.
• Turn on multi-factor authentication for every email account, including Gmail, Microsoft 365, and any service containing client data.
• Avoid using personal devices for firm email unless they have up-to-date security and are protected with strong passcodes.
• Be cautious with unexpected emails, especially messages urging you to “verify your account” or “reset your password.”
• Encourage staff to use a password manager to avoid reuse and simplify updates.

If you’d like to read a another lawyer’s perspective on this topic, this article offers a helpful overview: Why the Recent Gmail Password Compromise Should Be a Wake-Up Call for Your Firm