Changing a password isn’t the end of the world, but on a holiday Monday, it’s an unwelcome interruption. The bigger problem? Google never sent a warning. Earlier in August, Google disclosed a breach involving one of its internal Salesforce servers. But the company explained that the stolen information was limited to business contact details, such as names, email addresses and phone numbers, from a relatively small group of Gmail users. In other words, the kind of material you might find on LinkedIn, not sensitive account data.

That didn’t stop some reports from overstating the scope. Google quickly stepped in with a post on its official blog, The Keyword, saying: “Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false.” Google reminded readers that it blocks more than 99.9% of phishing and malware attempts before they ever reach inboxes. (Tip: bookmark Google’s Keyword blog at https://blog.google/ for reliable updates.)

So what can you do the next time you see a concerning tech alert? First, check the source. Is it a news organization you know and trust, or an unfamiliar website? In this case, the reports came from major publications, which complicated things. That’s when you look for discrepancies. Were some outlets sounding the alarm while others were already publishing Google’s denial? Conflicting headlines are a sign the information needs confirmation.

Go straight to the source. Most companies issue statements on their websites or official social media accounts. Google, for instance, posts security updates on its blog and on X (formerly Twitter). If you don’t find confirmation there, take the coverage with caution.

Next, consider what action is being recommended. If an alert tells you to change your password, you can’t go wrong by doing it. Cybersecurity experts recommend updating passwords regularly anyway, at least once a month. Don’t wait for a scare — make it a routine.

Passwords are just one layer of protection. Adding a second layer of security such as two-factor authentication, which uses your phone to send a one-time code, is an easy step to take. In Google, you’ll find the option under Manage your Google Account, then Security followed by 2-Step Verification. Many other services, including Apple, Microsoft, banks and social media platforms, offer two-factor authentication as well. Look under account or security settings to turn it on.

Google, Microsoft and Apple have all said they want to replace passwords with passkeys, a biometric-based system of logging into accounts. Instead of typing a password, you confirm your identity with a fingerprint or face scan from your phone. There’s nothing to type, nothing to remember and nothing for an attacker to capture in a phishing email.

Older devices that don’t support biometrics present a hurdle, but there’s a workaround. You can use physical security keys, which are small USB or NFC devices that store passkeys. These FIDO2-certified tokens work like passkeys without requiring a fingerprint reader or face-recognition hardware. You insert (or tap) the key during login, and you’re authenticated by cryptography stored on the key itself. Google’s Titan Security Key now supports storing passkeys directly on the device, and companies like Yubico and Nitrokey offer similar products.

In a joint announcement in 2022, Apple, Google and Microsoft committed to the passwordless standard developed by the FIDO Alliance, calling it “a more convenient and more secure” replacement for passwords. Google described it as a “major step toward a passwordless future,” while Microsoft recently reported that shifting users to passkeys cut password use by more than 20%.

And what if you suspect someone is trying to trick you by email? If you get a suspicious message in Gmail, click the “More” option next to the Reply button and choose “Report phishing.” That flags the email for Google and helps prevent similar attempts from spreading.

We may not be able to prevent mistaken reports from making the rounds, but we can control how we respond. With a little fact-checking and some smart security habits, the next holiday — or any day — can stay focused on family and fun, not phantom Gmail hacks.

Leslie Meredith has been writing about technology for more than a decade. As a mom of four, value, usefulness and online safety take priority. Have a question? Email Leslie at asklesliemeredith@gmail.com.