Nintendo 64, Sega Genesis coming to Switch online Diablo II PS5 restock tracker Tiger King 2 Google Doodle honors Christopher Reeve

Gmail spam mystery: Before you change your password, read this

Some Gmail users have been reporting spam in their sent folders. But before you change your password, do this first.


Is Gmail sending spam from your account?

There's something weird afoot in the world of Gmail. As widely reported earlier -- first by Mashable, then by our sister sites ZDNet and TechRepublic -- some people have noticed spam messages in their Gmail Sent folders.

That can only mean one thing, right? Those accounts have been compromised, meaning a password change is in order, stat.

Here's the thing: The spam problem appears to persist for some, even after a password change (as reported on the Gmail help forums).

To make matters worse, having two-factor authentication (aka 2FA) turned on doesn't seem to be helping, either. According to the ZDNet story, "The mystery spam appearing in Sent folders has also been happening on accounts with two-factor authentication enabled." 

CNET has reached out to Google for comment on this issue, but has yet to receive a response. (We'll update the post if we receive one.)

So what's going on here, and what can you do about it?

Who's affected?

According to a statement that Google provided to Mashable, the company is "aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it." 

Check your Sent folder

To see if your account has been "sending" spam, head to the Sent folder and look for suspicious messages -- anything that wasn't sent by you or looks to be blatant advertising. (One user reported subject lines referring to weight-loss and growth supplements.)

Don't see anything out of the ordinary? You're probably fine. 

See some spammy messages with you listed as the sender? You can report those messages as spam with a few clicks, and they'll be banished to the correct folder. 

But here's the thing: Even if you do see spammy messages listed as coming from your address, you may well be fine anyway. Faking email headers is so simple for spammers, your account may never actually have been compromised to begin with. 

To that end, the presence of the messages in your "sent" folder may be more a database glitch on Gmail's part, where the system is mistakenly routing it to the "sent" folder instead of the "spam" folder. To that end, in that same statement referenced above, Google tells Mashable that its engineers have "identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident."

I'm still freaked out. What else can I do?

Well, the good news is that this may have finally scared you straight on email security. The first and best thing you can do is...

Enable two-factor authentication: If you haven't already done this, you should. Two-factor authentication prevents anyone from accessing your Google/Gmail account unless they're able to supply a secondary password -- one that's generated in real-time and delivered to your phone.

CNET's Matt Elliott tells you everything you need to know about setting up Google's two-factor authentication, so I won't repeat it here. I will recommend that you read Matt's other article about using something other than text-messaging for that authentication. He recommends Google Prompt, which is available for both Android and iOS.

Make sure no dodgy apps have permissions to access your Gmail account: The same thing people have been doing on their Facebook account, post-Cambridge Analytica, applies here: Click here to check which apps have access to your Gmail/Google account. Expanding each one will list the vendor and the day access was granted. And even doublecheck ones with familiar names: Many Google Docs users were the victims of a sophisticated phishing scam almost exactly a year ago that used spoofed names to gain access. 

Gmail app permissions

This is a legit app, and the date lines up with when we authorized it to be linked to our Google account.


Check for mystery browser extensions: Same as above. If you find any strange extensions you don't recognize, it won't hurt to uninstall them. They may be bad actors.

Use a password manager: Using a password manager is the easiest way to maintain secure passwords on any and all sites. Find the best password manager options here.

Change your password anyway: To reiterate: It appears this Gmail-spam thing is just a glitch and not some kind of hack, and people who have already changed their password were still seeing the issue. As a result, we do not recommend changing your Gmail password to address this issue. 

But, if you insist: The fastest, easiest way to do that is to visit Google's password change page. If you're using your phone or tablet, you'll have to open a browser. You can't change passwords from within a Google or Gmail app.

Also, needless to say, if you already have 2FA set up for your account, be prepared to jump through that second "factor" hoop before you can complete the password-change process.

Have you encountered any unexpected spam in your Gmail Sent folder? If so, tell us about it, and what steps you've taken (if any).