Update: Google resolved the problem within about an hour of it being reported by revoking the app. The company had this to say: "We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed."
Google also stated that only 0.1 percent of users were affected by the phishing attack, but Forbes points out that if the number of Gmail users is accurate (one billion) then as many as a million users fell victim to the scam.
Several news outlets are reporting on receiving spam emails from an elaborate phishing scheme. The scam masquerades as Google Docs to gain access to your contacts and address book. It starts with an email that appears to be from one of your contacts. The email invites you to edit a document on Google Docs.
The link in the email is “somewhat suspicious,” according to one Redditor who almost fell victim to the ploy, but is “still reasonably Google based.”
Clicking on the link takes you to a real Google login screen where you can select the account with which you want to login to Google Docs. Once logged in, it prompts you to continue to Google Docs. This is where the effects of the scam take place.
When you click the link, you are asked to grant permission to Google Docs to “Read, send, delete, and manage your email” and to “Manage your contacts.”
Doing this grants permission to a “malicious third-party.” The Verge reports that the thing asking for permissions is nothing more than a web app named “Google Docs.” The reason it is so tricky is that the login page that it takes you to is an actual Google login screen, so looking at the URL does not give it away. The only real clue that it is not what it appears to be is the email address that is linked to the developer credentials of the bogus app.
JakeSteam on Reddit says that if you “click ‘Google Docs,' it shows [you] it's actually published by a random gmail account, so that user would receive full access to [your] emails.”
It is not known how far this scam was spread, but it raised eyebrows across the web due to the sheer number of people that appear to have received the emails. Google has since tweeted it has put the situation under control by disabling offending accounts, removing the fake pages, and pushing updates through Safe Browsing, among others.
If you have fallen for the scheme, go to Google’s “Connected Apps and Sites” page and revoke privileges from the app called "Google Docs." In the meantime, be cautious of emails asking to share a Google document with you, even if it is from a trusted contact. Check first and be sure they are the ones who sent it.