The security firm said Gmail users were receiving unsolicited instant messages that urged them to view a video by clicking a TinyURL link.
However, the hoax link navigates to a website called ViddyHo, where web users are asked to enter their Gmail username and password.
"We're all used to receiving suspicious communications via email, but these attacks arrived via the instant chat system built into Gmail. As a result, more users may fall unwittingly into the trap," said Graham Cluley, senior technology consultant at Sophos.
Research by Sophos revealed that 41 percent of web users have the same password for every site they visit. It is because of this Sophos is urging any victims of the hoax site to change the passwords on any site that shares the same log-in details as their Gmail account.
"If you think you might have been duped, make sure you change your Gmail password immediately otherwise your entire address book and all your correspondence, including information that you may have archived about other online accounts, will quickly become rich pickings for the hackers."
TinyURL has now blacklisted the site, so the link will no longer work. However, Sophos warned that there is nothing to stop the hackers using other URL shortening sites or setting up alternative phishing sites.
"The message is simple. You should always be wary of clicking on unsolicited links whether received over email or IM, and be extremely careful whenever a website asks you to enter your username and password for another site," added Cluley.
Gmail suffered a two-hour outage yesterday, which prevented a number of users of Google's webmail service accessing their accounts.
This story, "Hackers Use Gmail IM Service to Steal Login Details" was originally published by PC Advisor (UK).