To make matters worse, the worm also sent itself out to all of the affected users' contacts — Gmail or otherwise — reproducing itself hundreds of times any time a single user fell for it.
The strategy is a common one, but the worm that was released Wednesday caused havoc for millions of users because of its unusually sophisticated construction: Not only did the malicious link look remarkably realistic and trustworthy, but the email that delivered it also appeared to come from someone users already know — and the payload manipulated Google's real login system.
Google said it had "disabled" the malicious accounts and pushed updates to all users. The vulnerability was exposed for only about one hour, and a spokesperson told NBC News on Wednesday night that it affected "fewer than 0.1 percent of Gmail users" — which would still be about 1 million.
"While contact information was accessed and used by the campaign, our investigations show that no other data was exposed," the spokesperson said.
It could have been a potential calamity for unsuspecting victims: With control of your Gmail account, scammers can harvest any personal data you've ever sent or received in an email. That can allow them to generate password-reset requests on scores of other services, potentially letting the hackers take over, for example, your Amazon, Facebook or online bank accounts.
Employees and others connected to large companies, especially educational institutions and journalism organizations, began flooding social media about 2:30 p.m. ET reporting that they'd received the malicious email.
Employees and others connected to large companies, especially educational institutions and journalism organizations, began flooding social media about 2:30 p.m. ET reporting that they'd received the malicious email.
/CNBC/
More about: #Google
