My Gmail and Google Apps accounts were hacked recently but I
could establish my identity, Google restored access in the next three
hours. Here are lessons learned and tips that might prevent your Gmail
and other Google Accounts from getting hacked.
I frequently get "password assistance" emails in my Gmail inbox that have a link to reset the password of my Google Account (
see screenshot).
Since I don’t initiate such password change requests myself, it’s clear
that someone else is trying to hack into my Google account.
I generally ignore such emails as they also say:
If
you’ve received this mail in error, it’s likely that another user
entered your email address by mistake while trying to reset a password. If you didn’t initiate the request, you don’t need to take any further action and can safely disregard this email.
I
got a similar email yesterday night and ignored it as usual. In the
next five minutes, there was a message on my BlackBerry saying that the
device is having trouble fetching emails from my Gmail and Google Apps
account. Microsoft Outlook too had stopped working by then.
Things
were now no longer in my control. Someone had successfully managed to
change the password of my Gmail account, my Google Account and the most
terrifying part was that the hacker also gained control over my Google
Apps Account which is linked to
labnol.org and other web domains.
When
something like this happens, you tend to get that ‘sinking feeling’
because now all your private information (email correspondence,
documents, bank statements, photographs, etc.), your identity on the
social web (Twitter, Facebook, Blogger, etc.) and, most important, your
online business is not in your hands anymore.
I
make a living
from this blog but if someone else takes control of the site (by
changing a couple of passwords and DNS records), the going can get
really tough.
How the Google Accounts were hacked and recovered?
I use a fairly
strong password
so it can be tough for someone to guess that string. And since I got a
password reset email request in the first place, the possibility that
the
password was cracked can be safely ruled out.
I
don’t use Gmail from any public terminal (therefore safe from password
stealing keyloggers) and have never clicked on links that may point to a
fake Google login page (so no phishing attack either). You cannot
associate a "security question" with non-Gmail Google accounts so the
possibility that the "security question was weak" is also ruled out.
My assumption is that since my Gmail account
is
was set as the secondary email address of my Google Apps account, he
(or she?) somehow hacked into the Gmail account and from there he gained
control of my other Google Accounts. This seems probable but I am not
sure.
As soon as I discovered that the accounts were hacked, I posted a message on
Twitter, contacted a couple of people at Google and filled up some
recovery forms in order to
verify ownership.
I consider myself lucky because several people went out of their way to
help me and access to all the accounts was finally restored in the next
3 hours. The nightmare was over.
Things to do before the hackers strike again!
I
won’t ever know who that hacker was except that he left a brief message
in my Inbox saying that he didn’t hack my Google account with bad
intentions and that he "enjoys exploring the web for vulnerabilities".
The note also says that he is in need of urgent money and asks for a
specific amount.
Anyway, here a few important things that I have
learned in the process that you might want to implement at your end as
well though it’s hard to tell if one can really prevent a determined
hacker from stealing your Google accounts.
How to Protect your Gmail & Google Accounts
#1. Log-in to your Gmail / Google Account and associate a
phone number. This is useful because you’ll then receive an SMS text message whenever someone tries to recover your Google password.
#2.
Create a new email address (on say Yahoo! Mail or Gmail itself) and set
this as the secondary email address for your existing Gmail and Google
Accounts. Check for emails on this new account manually or through a
desktop client via POP3 / IMAP but
do not enable auto-forward for the new email address as the original purpose will be defeated.
#3.
Take a paper and write down the following information about your Google
Account. You will need this to verify your identify to Google in case
someone else takes over your Google Account and the secondary email
address associated with your account.
- The month and year when
your created your Gmail / Google Account. You can look at the last page
of your Gmail Inbox (or go to Sent Items) to get an approximate idea of
the date when you created the account.
- If you created a Gmail
account by invitation, write the email address of the person who first
sent you that invite for Gmail. Use a search query like "in:all has invited you to open a free Gmail account" to find that invitation email.
- The email addresses of your most frequently emailed contacts (the top 5).
- The names of any custom labels that you may have created in your Gmail account.
- The
day/month/year when you started using various other Google services
(like AdSense, Orkut, Blogger, etc.) that are associated with the Google
account that you are trying to recover. If you’re not certain about
some of the dates, provide your closest estimate*.
[*] For
Analytics, look at the first date when it started collecting stats for
your website(s). For Orkut, look at the last page of your scrapbook. For
AdSense, you may take the help of your AdSense account manager.
#4. It goes without saying but do not use the same password for your main Google / Gmail account and your secondary email address.
#5. If you access Gmail and other Google services over a
Wi-Fi network, make sure that you always use the
secure URLs like
https://gmail.com.
Go to Gmail settings and set ‘Browser Connection’ to ‘Always use
https.’ This might make your Gmail access a bit slower but your account
will be more secure.
#6. Once in a while, do
refer to that little line in the footer section of your Gmail Inbox that
shows the different IP addresses from where your account is being
accessed. If you find an unknown IP address, change your Google password
immediately. The person who hacked my Gmail accounts configured them
with his Hotmail account so he could effectively read all my email
communication remotely from his Hotmail inbox without ever logging into
my Google account again. I could figure that out only after I saw an IP
address from a Microsoft server in my
Gmail activity log.
#7. You should also consider
copying emails
from Gmail to another service (like Yahoo! Mail or Hotmail – it is
effortless) so when your Gmail account is compromised, you at least have
access to all your previous emails. Or you can configure a desktop
email client like Outlook or Thunderbird with your Gmail account (via
POP3 or IMAP) and thus you’ll have an automatic offline
backup of your Gmail Inbox.
#8.
Do a test run. Log-out of all your Gmail / Google Accounts and initiate
the password recovery process for each one of them using
this form. This will help you make sure that your SMS settings and secondary email addresses are configured correctly.
For Google Apps users
#9. You should always have a
public email address
on your website that others can use to contact you directly. This
public email address will also help people find and connect with your on
social networks like Facebook, LinkedIn, etc. However, you should make
sure that
you don’t provide administrative privileges to this email address in Google Apps
because if someone hijacks this account, he will effectively take over
your Google Apps domain. Create a new user in Google Apps as an
administrator and never share this username with anyone else.
#10.
If you have lost access to your Google Apps dashboard, you’ll have to
create a new CNAME record pointing to google.com to verify that you are
actual owner of that web domain. To reset the password for the
administrator of your Google Apps domain via your domain hosting
company, the URL is:
