Massive Google Phishing Attack Highlights OAuth's Flaws

The attacker had almost total access to the accounts, which meant they could "read, send, delete, and manage your email" and "manage your contacts" without alerting Google's security features.