New Malware Stays Logged Into Stolen Google Accounts After Password Reset

· 2 min read

Security researchers identified a malware family that could maintain persistent access to Google accounts even after the victim changed their password. The technique exploited an undocumented aspect of Google’s authentication token handling.

How It Works

Modern web authentication uses tokens rather than passwords for session management. When you log into Google, your browser receives an authentication token that identifies your session. Normally, changing your password invalidates these tokens, forcing all sessions to re-authenticate.

The malware exploited a token refresh mechanism to regenerate valid tokens from previously stolen authentication data. Even after a password change, the malware could use stored token material to create new valid sessions without knowing the new password.

The practical effect: the victim changes their password, believes they have secured their account, and the attacker retains access.

Why It Matters

The standard advice after an account compromise is “change your password.” This advice assumes that a password change invalidates all existing sessions. When that assumption is wrong — when the attacker can maintain access despite a password change — the entire account recovery process is undermined.

Users who follow the standard advice believe they have resolved the compromise. They have not. The attacker continues to have access, potentially for extended periods, while the user operates under a false sense of security.

The Broader Lesson

Authentication systems are more complex than the password abstraction suggests. Behind the password there are tokens, cookies, refresh mechanisms, and session management systems. Each of these components is a potential attack surface. The password is the user-facing layer; the actual security depends on the implementation details beneath it.

Defensive Measures

After a suspected compromise:

  • Change the password (necessary but not sufficient)
  • Revoke all active sessions from the account security settings
  • Review and remove any unrecognized app permissions
  • Enable hardware security keys where possible
  • Monitor account activity for unauthorized access after the password change

The incident reinforces that account security is not a single action (changing a password) but a process of reviewing all access pathways and closing them systematically.