Hacked Gmail Account

The key part of the blog post for me is this: "To mitigate the risk, Google recently launched two-factor authentication, a mechanism that requires you to input, on top of your password, a code generated by an application installed on your phone (iPhone, Android and maybe some others). I have activated this today."<p>Anyone savvy enough to hang out on HN probably has a fair amount of valuable info in their Gmail account (domain registration info, passwords/access to shopping sites, etc.) and should activate two-factor authentication: <a href="http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html" rel="nofollow">http://googleblog.blogspot.com/2011/02/advanced-sign-in-secu...</a><p>Is it a little more hassle? A bit. But when someone else tries to log in from a new IP address in the Ivory Coast, or China, or wherever--they'll be prompted for a PIN and won't be able to log in.<p>I activated two-factor authentication as soon as I could on my Gmail. I think everyone reading this comment should too.

What I'd like is one-factor for my typical "log in and check mail, write back to a few people" use case, and two-factor or a second password that kicks in when I (or a bad guy) tries to:<p>* Log in from a computer that's never used this account before<p>* Set up a forward<p>* Make a mass mailing<p>* Change the password<p>* Do extensive searching or searching for suspicious terms ("password", "credit card", etc)<p>* Export a large amount of mail<p>...and other such things. That way, I don't have to be inconvenienced by constantly having to use the second factor, but would still survive a stolen laptop, keylogged passord, or sniffed cookie with a contained amount of damage.

I don't understand why so few comments mention that the "last chance form" is a huge security hole. It seems like most of the information for filling it can be seen by someone over my shoulder as I use Gmail. And it's apparently completely automated and can be tried multiple times. I use a strong passphrase and two-factor authentication for a reason, and this defeats it. I already disable the "secret questions", since I don't want cracking the account to be much easier than cracking the passphrase.<p>I would like Google to give me an option to disable the "last chance form" for my account. Or, if they inisist, I'd like the "last chance" to be to fly to Mountain View and show Google my passport or a court order.<p>EDIT: and for extra bogusness, it seems that the information needed for the "last chance form" can't be changed if it's compromised. I mean, I can change my passphrase if I suspect it leaked, but how do I change the date when I started using Gmail? Sounds like the best thing to do the moment a Google account is compromised is to close it.

I went through this two years ago. My ex was hacking into my accounts.<p>- He used the 'last chance form' to get into my gmail by entering the password I'd given him a year before this (I'd changed the password twice after giving him that password)<p>- He ran a dictionary attack on my college email which didn't have captcha's, then hacked gmail using the password that worked for my college email<p>- We were using shared vnc in college, he found his way to my firefox through a mutual friend, installed a plugin that sent him all POST data and got into my gmail again<p>I created a new gmail account after each incident. I had to abandon each gmail account once it was cracked because of the 'last chance form'. Back then, you only had to give it one or two correct past passwords, and it gave you access. On hindsight, I've been remarkably dense, but it was a good, early lesson.

This is exactly why I'm using two-factor authentication for gmail (heck, I even ported the two factor auth code generator to my watch so I don't have to panic when my android phone runs out of battery - <a href="http://tnhh.net/pancake/chronos-otp.xml" rel="nofollow">http://tnhh.net/pancake/chronos-otp.xml</a> :-)<p>However, I don't use Gmail for 'everything,' it's just too dangerous and I feel doing that way Google knows more about me than they should. I think everyone should be hosting the main email address under something that they can sure control (your work/edu account, or a paid email service). My main account is hosted on fastmail (I paid something like 12 bucks for three years) and is cloaked under a dozen of other email addresses.<p>Plus, for fastmail you get a free smtp account, and a standard IMAP account (gmail's IMAP is weird). And they will respond if you're in troubles.

&#62; most distressing to me is that I am still unable to explain how those guys were able to get access to the account twice after I changed the password, security questions and backup email address from my Mac that does not seem to be compromised.<p>It sounds very much like the hackers were also using the "last chance form." Consider that all of the information it requests is available through Gmail - account registration data, names of tags, most emailed people, and verification code (which was apparently emailed to him, and therefor present in the compromised email account) (Note: I haven't used the form myself, I'm going on the information in the article).<p>Also, the title is a bit link-baitish.

I haven't set up two-factor auth yet because I don't always have my phone handy and my understanding of it is that on each log-in you need to use both factors. My comments below are based on this understanding so forgive me if I'm wrong.<p>What I would love is if instead it asked for both factors under these circumstances:<p>- option A - on every login like it is now.<p>- option B - at least once every X days, with a warning that "within the next three logins you'll need to use your second auth" so I will know when it's coming without being locked out because my phone is dead.<p>- in both of the above cases ALWAYS require two factor auth every time I change the account settings (like password, recovery addresses, etc.) Possibly even require it when I try to do things like purge a mailbox entirely or bulk email all my contacts.<p>Having this blended option would make it a no brainer for me<p>Edit: Thanks all for the clarifications below. I am going to give it a try.

I read a story similar to this a few weeks ago. The guy recovered his account, changed all passwords, but then it was snatched again. Rinse and repeat, I think he got it back in the end though.<p>Very strange - he thought he'd been targetted specifically.

tl;dr: don't give your password to anybody. we've been saying this since the mid-90s but people still seem to slip up.<p>gmail's two-factor auth is nice and easy with the handy iPhone app. of course nobody wants to complicate something like sign-in, but email integrity is very important. facebook also has a similar two-factor auth process (though not as nice; they text you, vs a nice app).<p>two-factor is a no-brainer at this point for managing your identity, especially given the huge volume of leaked passwords we've seen in the past month. it only takes a few minutes to set up and almost completely eliminates problems like the one in this article. if you haven't set it up yet, do it now! much easier than learning the hard way.

A friend of mine got his domain stolen recently. He believes his gmail was brute-forced through a known vulnerability/feature when POP is enabled <a href="http://seclists.org/fulldisclosure/2009/Jul/254" rel="nofollow">http://seclists.org/fulldisclosure/2009/Jul/254</a> . He did a write up <a href="http://secretgeek.net/sg_hijack_1.asp" rel="nofollow">http://secretgeek.net/sg_hijack_1.asp</a> and here <a href="http://secretgeek.net/sg_hijack_2.asp" rel="nofollow">http://secretgeek.net/sg_hijack_2.asp</a> . As soon as this happened to him I turned on 2-factor auth and it works very well.

This happened to my girlfriend and I had a similar freak out. After asking a few more questions she remembered getting an email to enter her gmail password to get more storage space.... She knows better, but just didn't think about it - it seemed legitimate. Ask your friend more questions, I bet she fell for the same scam. I've met 4 people now that fell for the same one.<p>I'm also very concerned about the no 'restore' option from gmail. What good are google backups if you can't initiate them?

For the record, I don't think that Gmail security is bad, or worse than something else. I just wanted to report my story, as I thought it would be interesting. I am a bit overwhelmed by the reaction to this post, honestly.

A friend of mine had a similar problem with her Hotmail account.<p>It had been hacked, but the recovery questions hadn't been changed (mainly, I think, because Hotmail makes it incredibly difficult to even find the option to do this). We reset her password, changed everything, and the account got re-hacked within 30 minutes.<p>This happened three more times until, eventually, the recovery questions were changed and we couldn't get access. I posted on the support forums, regained access, changed EVERYTHING (this included checking for email forwarding rules, and so on).<p>Now, through all this, I told my friend to not sign in to the account (or use MSN) from any computer except mine, to ensure that it wasn't a keylogger or Trojan that was causing this. My machine was running an up-to-date version of Ubuntu, on my home network, using HTTPS. So I'm pretty sure it wasn't a trojan.<p>Unlike Google, Hotmail requires a human to look over your problem, so after the third time we had to wait for a day to get the account accessed, we just gave up. I signed in, copied down as many contacts as I could, then deleted all the incoming emails. We ended up having to abandon her Facebook account too, as the hacker accessed that and was spamming her friends. Her Tumblr, and a couple of other accounts were toast also. We almost her Facebook back, but the hacker deactivated the account.<p>It was very frustrating trying to solve this, because I didn't know how the account was being accessed! I opened a ticket asking the Hotmail support staff to tell me how the password was being reset - not any more information, just the method - and they came back with the standard "we won't reveal information unless you have a search warrant or court order".<p>I love modern technology and all, but sometimes it's <i>REALLY</i> frustrating.

I bet signups for Gmail's 2-factor auth spikes when stories like this start circulating. It's awesome that they provide it. I fear it might be too much to ask for my mom, grandmother, etc, who are probably more vulnerable to being attacked in the first place (weaker, duplicated passwords for sure).

I've also activated two-factor authentication, and I don't think the drawback he mentions are that problematic:<p><i>This indeed increases security, but tends to be a bit cumbersome (I often have a depleted battery, for example, which could prevent access to my emails from a computer) and does not solve other case (like somebody stealing my laptop and using an already opened session).</i><p>1) You can print a list of one-time passwords and store it inside your wallet. If your phone's battery is depleted, you can use them to log in. You should store another copy of this list in a safe place, just in case.<p>2) If somebody steals his laptop, he could always log from another computer and disable his session and/or change his password. He should use a password-protected login on his laptop anyway, with an encrypted drive.

My Gmail account recently was compromised due to the MtGox intrusion, as I had completely gotten lax with my password security practices (I noticed because I was no longer able to log in to my Google account). The worst thing about it is I knew better. I had 4 different passwords that I would use for different types of sites, and it just so happened that my MtGox and Gmail passwords were the same.<p>Thanks to my backup email account and 1password's ability to search accounts by password, I was able to restore access and change every account password I had gotten lazy about, before any damage was done. Turn on 2-factor authentication for my Gmail and Google Apps accounts, and now I can finally feel secure with only 2 passwords I have to memorize (Gmail and 1Password).

One thing you should check for if your email was compromised is the pop3 forwarding and imap. Attackers will forward your emails to their own accounts using either or both. This makes it very easy for them to retake your account.

It would be nice if Gmail and Facebook had two separate passwords: one for everyday login and another for administrative functions such as changing passwords, forwarding options, etc.

For those of us who never travel outside the continental U.S. (or wherever), it would be nice if Gmail had an option we could check that read, "Disallow international (non U.S.) access to my account."<p>This would add a small measure of protection, though is not ideal as compromised machines (or proxies) in the U.S. could still access the account.

I'd say this is happening <i>a lot</i> more than we actually hear about. He also raises a good point about how if you gained access to a lot of people's gmail a/c, you'd also get access to a lot of other services they use via the password reset form.

So, it seems that the XP machine was the source of intrusions - I'd like to see a follow-up.

Something i do quite regularly is google search each of my passwords, and I would advise anyone to do the same.<p>I found several older passwords with my login up on a file-sharing website not so long ago. Luckily I didn't suffer the same fate as the writer's wife.<p>Also, I believe that google should have 'paid support' in place for this type of situation. No doubt it would be profitable for them, and would save many people quite a lot of pain.

There is another layer of protection you can put in place - Google Apps. For many people, spending the $10/year on a private domain with the 10 account limit would be more than sufficient. Allocate one of those accounts to a strictly administrative role with 2 factor authentication. That way, you can self-serve on things like emergency password resets etc.

So Im perplexed about how the gaming XP machine fits in here. I can understand that maybe that machine was used to log into the gmail account once and the auto login would have let the "hacker" in <i>once</i>. How then, if the user changed the password and security questions, etc did this person access the account 2 more times???

They should be asking for certain characters of your password now, to defeat keyloggers. If you've got tons in the cloud, you need bank-level security. If people can cope with it for banking, they can cope with it for gmail.

I worry about this a fair bit. This is why I am in the process of cloaking my gmail with a throwaway address (ping@namank.com)<p>And I just suggested gmail this:<p>----- Gmail runs my life, as it does yours! Yes, I have an alternate email but whoever has my password can change it and then I'm LOST! You need to make this hackproof (yes yes, i know. but please, atleast TRY)<p>I suggest: -Have a backdoor password. There MUST be a 24-48 hour window between changing the backdoor password and the main password.<p>-Must be a 24 to 48 hour window between a password change and alternate email change. -----

Just enabled 'Two factor authentication'. Thanks for writing this. Made me realize the loss I would incur if my account gets hacked.

the "last chance form" (or "account recovery exam") really is a hard and impossible to find thingy. Also, I frankly have no idea about when I started using some services, and worst, no clue on how to find out.

&#62; Time now for some damage evaluation. I immediately saw that all contacts had been deleted (annoying but not too bad)<p>There's pretty much a one-click restore process now: <a href="http://i.imgur.com/1EYZ5.png" rel="nofollow">http://i.imgur.com/1EYZ5.png</a>

Not sure why any of these steps should lead you to fear about using Gmail. Hosting your email yourself is almost surely more risky. Those hosting their own email aren't going to have complex password recovery system with the abuse protection that Google's has. There isn't going to be a warning system to alert you that there have been sign-ons from foreign states/countries. There isn't going to be two-auth out of the box unless you install the PAM module.<p>If your weak link, was, as usual, the human link... I would be inclined to trust a system more catering to (forgive me) ignorant users.<p>I just worry that the mindset is, "I got hacked because I use Gmail, if I used something else I'd be safer." and I find that logical to be pretty flawed.

&#62; I was very glad that the "last chance form" did work twice<p>&#62; That's when I lost the connection again...<p>hmmm ...

You get what you pay for.