Google said yesterday that it disabled offending accounts and removing malicious pages to protect Gmail users from cyberattacks.
The phishing scheme came to the company's attention after a number of users took to social media to complain they had been hacked.
The scammers were able to access Gmail users' accounts without obtaining their passwords by having an already logged-in user grant access to a malicious application posing as Google Docs.
Aaron Higbee, chief technology officer at PhishMe Inc, described the sophisticated attack as "the future of phishing".
"It gets attackers to their goal ... without having to go through the pain of putting malware on a device," he told Reuters.
Duped users gave the hacker access to their Gmail accounts including emails, contacts and online documents.
The compromised accounts could then be used to reset passwords for online banking accounts or provide access to sensitive financial and personal data.