You might think your Gmail account is safe because of multi-factor authentication (MFA). However, recent attacks by Russian hackers have shown that this extra layer of security isn't always foolproof. These cybercriminals, associated with UNC6293, have found a way to trick users into giving them access by manipulating app-specific passwords. This breach has targeted prominent individuals like academics and critics of Russia, using deceptive emails that appear to be from the U.S. State Department. Let's explore how they did it and what you need to know to protect your information.
What Datapoints Were Leaked?
When Russian hackers, specifically the group known as UNC6293 (also referred to as APT29), managed to bypass Gmail’s multi-factor authentication, they didn’t just get a peek at inboxes. The breach ran deep, exposing a variety of sensitive data that most users wouldn’t want in the wrong hands.
What Was Actually Accessed?
The attackers gained entry to:
Emails: Both incoming and outgoing messages were exposed, including sensitive conversations, private attachments, and ongoing threads that often contained personal or professional details.
Personal Contacts: Lists of friends, family, colleagues, and professional connections were compromised. This data can be used for further phishing or social engineering attempts.
Sensitive Communications: For some victims, the hackers accessed exchanges involving government officials, academics, and critics of Russia—often discussing topics considered high-risk.
Calendar Events and Google Drive Files: In some cases, permissions allowed attackers to see scheduled appointments, confidential files, or drafts saved in cloud storage.
Why Does This Matter?
The real sting isn’t just in the data itself, but what can be done with it. Here’s the fallout:
Blackmail or Extortion: Exposed emails and files could be used to pressure or threaten individuals.
Identity Theft: With personal info, attackers can impersonate victims or trick their contacts.
Further Attacks: Stolen contacts and conversations can fuel highly targeted phishing, making future scams even more convincing.
Reputational Harm: For those in the public eye, having private messages or sensitive research leaked can lead to professional and personal consequences.
If you’re someone who uses Gmail to communicate about work, research, or activism—especially topics related to Russia or global politics—these data points are exactly what makes you a target.
Cloaked, for example, offers tools that help users mask their real email addresses and personal information. Using such features can limit what’s exposed if an account is ever compromised, adding another level of safety beyond just relying on MFA.
Should You Be Worried?
Who Should Pay Attention?
If you’re an academic, journalist, or outspoken critic of Russia, the answer is simple: yes, you should be alert. Recent attacks targeting Gmail users show that even with strong multi-factor authentication (MFA), some groups—like UNC6293/APT29 (often linked to Russian intelligence)—have managed to break through. The attackers didn’t just try to brute-force passwords. They studied their targets, learned their habits, and tricked them with social engineering.
Key risk groups include:
Scholars or researchers focused on Russian or Eurasian studies.
Journalists covering Russian affairs, politics, or cybercrime.
Activists or critics known for public commentary on Russia.
Anyone with a history of exposing state-sponsored activities.
If you fit any of these descriptions, you’re on their radar.
How Did They Bypass Gmail MFA?
Multi-factor authentication is supposed to be a tough lock. But these attackers got creative:
Phishing Pages: They set up fake Google login screens, tricking users into entering both their password and the one-time MFA code.
Real-Time Interception: The phishing site immediately sent those details to the actual Google login—logging in as you, in real time.
Credential Harvesting: Once inside, they didn’t just stop at reading emails. They scoured inboxes for sensitive files, contacts, and further access points.
Even users who followed every security best practice—long passwords, app-based authentication—weren’t safe if they entered their details on a lookalike site.
Are You in the Crosshairs?
You might be at risk if you:
Have public-facing profiles linking you to Russian topics or criticism.
Regularly use Gmail for sensitive conversations.
Rely on MFA but aren’t watching for phishing attempts.
Work in environments with high-value data or contacts.
What Can You Do?
If any of this sounds uncomfortably close to home, don’t panic—but don’t ignore it either. This is a time to double-check your digital habits. Think before you click. Scrutinize every login page. Cloaked offers privacy tools to help mask your contact information and reduce your exposure, making it tougher for attackers to even know where to aim.
Stay watchful. In the digital age, awareness is often your best defense.
What Should Be Your Next Steps?
Securing your Gmail account isn’t just a good idea—it’s essential. With sophisticated hacks like the recent UNC6293/APT29 Gmail MFA attack making headlines, it's clear that even multi-factor authentication can be sidestepped if you’re not careful. Let’s break down actionable steps to keep your digital identity safe and explain why some commonly used features, like app-specific passwords, might put you at risk.
Lock Down Your Gmail Account
1. Use Strong, Unique Passwords
Avoid reusing passwords across different sites.
Create passwords that mix upper and lowercase letters, numbers, and symbols.
Consider a password manager for storing complex credentials safely.
2. Multi-Factor Authentication (MFA) Is a Must
Enable MFA on your Google account. Choose stronger options like:
Google Prompt via the official app (not SMS).
Physical security keys (USB or Bluetooth).
Don’t rely on SMS or phone calls for authentication—these are easier to intercept.
3. Watch Out for App-Specific Passwords
App-specific passwords are one-time codes for devices or apps that don’t support MFA.
Risks:
Once generated, these passwords bypass MFA, giving attackers a back door.
They’re often not monitored as closely by users.
Mitigation:
Regularly review and revoke unused app-specific passwords in your Google account settings.
Only use them if absolutely necessary, and always monitor account activity.
Take Advantage of Google’s Advanced Protection Program
Google’s Advanced Protection Program is built for those who want maximum security, such as journalists, activists, or anyone at high risk of targeted attacks. Here’s what it offers:
Physical security key requirement: Login is only possible with a security key.
Stricter app access: Only trusted apps can access your Gmail and Drive.
Enrolling is straightforward, but you’ll need at least two security keys. If you handle sensitive information or just want peace of mind, this is worth considering.
Best Practices for Everyday Security
Review account activity: Regularly check for logins from unfamiliar devices.
Be wary of phishing: Don’t click suspicious links or download attachments from unknown senders.
If you’re looking for an extra layer of privacy, Cloaked can help by generating secure, disposable email addresses and phone numbers for sign-ups. This reduces the risk of your main Gmail account being targeted in phishing campaigns or data leaks. Cloaked doesn’t replace Google’s security measures but complements them by giving you more control over what information you share online.
Stay vigilant—digital security isn’t set-and-forget. Taking these steps now can save you a world of trouble later.
Cloaked FAQs Accordion
Frequently Asked Questions
First, change your passwords—especially if you've reused them across sites. Then enable two-factor authentication (2FA) on all key accounts. Review your account and credit activity regularly for any unusual behavior. If suspicious actions surface, consider freezing your credit and alerting your bank. To proactively reduce exposure in the future, tools like Cloaked can mask your personal information before breaches happen.
Cloaked provides you with disposable emails, phone numbers, and payment details, making it harder for bad actors to access your real identity. These tools help you safely sign up for services, communicate, and shop online without putting your core identity at risk.
Commonly targeted data includes full names, email addresses, phone numbers, birthdates, physical addresses, login credentials, and payment info. Tools like Cloaked help shield this information by providing secure, masked alternatives.
Always be skeptical. Malicious links are one of the most common ways hackers infect devices or steal data. Avoid clicking unless you can verify the source. Services like Cloaked can add layers of security so your real contact info isn’t exposed even if you make a mistake.
Using the same contact info across platforms makes it easy for attackers to build a full profile of you. If one platform gets breached, all your accounts can be at risk. That’s why Cloaked allows you to use different, secure contact methods for each service.
At Cloaked, we believe the best way to protect your personal information is to keep it private before it ever gets out. That’s why we help you remove your data from people-search sites that expose your home address, phone number, SSN, and other personal details. And to keep your info private going forward, Cloaked lets you create unique, secure emails and phone numbers with one click - so you sign up for new experiences without giving away your real info. With Cloaked, your privacy isn’t a setting - it’s the default. Take back control of your personal data with thousands of Cloaked users.
*Disclaimer: You agree not to use any aspect of the Cloaked Services for FCRA purposes.
