From https://cybersecuritynews.com/vaultjacking-attack-steals-entire-google-password-manager/
So if you use Google Password Manager, you need to be very wary of any e-mail wanting you to enter your pin. Google doesn't seem interested in doing anything about this.
Quote:
A new phishing technique called VaultJacking has emerged, and it is raising serious alarms across the cybersecurity community. With just a single captured 6-digit PIN, an attacker can walk away with an entire Google Password Manager vault, including every saved password and passkey stored inside.
...
Every third-party login, every stored passkey, and every saved credential instantly becomes accessible to the attacker operating from behind the scenes.
...
Security professionals should treat this as an accepted-design trade-off rather than an unpatched bug awaiting a vendor fix.
So if you use Google Password Manager, you need to be very wary of any e-mail wanting you to enter your pin. Google doesn't seem interested in doing anything about this.