The initial reports had two pretty specific claims:

1. There was a compromised Salesforce database that resulted in potential compromise of all gmail users.
2. Google sent notifications to most/all gmail users indicating they should change their passwords.

I’ve yet to see a single firsthand notification from Google, so was already skeptical of #2. However, the first claim was debunked pretty quickly by confirmation the Salesforce breach didn’t include gmail data, even without considering how much MFA would negate how dangerous such a breach could be.

This whole situation throws up way more red flags about tech/cybersecurity reporting than anything on Google’s side.

“2.5 billion? Don’t be ridiculous. More like 2.3 billion. 2.4 tops.”

We investigated ourselves and found no issues!