Gmail Address Change Feature: Identity Flexibility vs. Account Takeover and Impersonation Risks
Google is rolling out the ability for U.S. users to change their primary @gmail.com address or create aliases, improving account flexibility but introducing new vectors for account compromise, impersonation, and social engineering attacks.
Affected
Google's introduction of changeable primary Gmail addresses represents a significant departure from email address immutability, a security assumption baked into decades of account authentication practises. Whilst the feature improves user agency over their digital identity, it creates several attack surface expansions that security teams must recognise and prepare for.
The primary risk lies in account recovery workflows. Many organisations still rely on email address matching for account verification, password resets, and two-factor authentication recovery. An attacker who gains access to a victim's Gmail account can now change the primary address to one they control, effectively locking the legitimate owner out whilst retaining full account access. This bypasses recovery mechanisms that assume the email address remains constant. Additionally, the ability to change addresses creates opportunities for lookalike impersonation: an attacker could change their address to mimic a colleague's Gmail (e.g., from john.smith.1234@gmail.com to john.smith@gmail.com), enabling convincing phishing and social engineering within organisations that trust Gmail domains.
The alias feature compounds these risks. Multiple aliases pointing to the same account can be used to establish false identities or distribute malicious links across different touchpoints whilst maintaining a single attack infrastructure. Defenders should assume that email-based identity verification is no longer reliable for Gmail accounts without additional confirmation steps. This particularly impacts organisations using Gmail for both business and personal communication, where employees may be targeted with account takeover attempts that then compromise corporate access.
Organisations should immediately audit their account recovery and authentication procedures to remove dependency on static email addresses as primary authentication factors. Implement email domain whitelisting where possible, require re-verification of profile changes, and consider mandatory additional authentication factors beyond email for sensitive account operations. For incident response teams, assume that email-based timelines of user activity may be obscured if an address change occurs, complicating forensics. Monitor for unusual authentication patterns and address changes as potential compromise indicators.
Sources