The perils of email: My Gmail account hacked
August 5, 2008
It was, I suppose, when, not if, one of my email accounts was hacked. I was in office with a colleague when he said that I had sent the most unusual email that went,
Wonderful shopping! How are u doing these days?Yesterday I found a web of a large trading company from china,which is an agent of all the well-known digital product factories,and facing to both wholesalers,retailsalers,and personal customer all over the world. They export all kinds of digital products and offer most competitive and reasonable price and high quality goods for our clients,so i think we you make a big profit if we do business with them.And they promise they will provide the best after-sales-service.In my opinion we can make a trial order to test that. Look forward to your early reply! The Web address: {some URL}
Guessing what had occured, my first fear was that I was locked out of my account. Tried to log in, was elated when I could and immediately changed my password and deleted all of my contacts. Unfortunately it was too late to stop this email going to around 600+ contacts.
Many friends and colleagues wrote or called in to say that something was awry with my email. Later in the evening, I sent an email to everyone who may have got the spam email apologising, though everyone was very nice and good humoured about it. From a few I learnt that spambot attacks on email accounts as well as Facebook and MySpace accounts are on the rise.
Doing a spot of research on the web, I came across this excellent post (which I strongly encourage you to read in full) that mirrors precisely what I experienced and did after my Gmail account was hacked. It also saves me from going into detail about the remedial measures I took after the attack. One thing I did that’s not mentioned in Tiffehr’s post was to log out of all other sessions on Gmail (Remote Logout is a new Gmail feature).
I want to underline and reaffirm concerns flagged in Tiffehr’s post,
- There is very little reassuring documentation or steps to rectify a frozen account. An e-mail form that lets you indicate the number of hours you’ve been waiting between last reporting your frozen account. You can fill that out to your heart’s content, but there is no message confirming your issue has entered any kind of queue.
- There is nothing in the help documentation about a hacked account for which you have control. It seems the majority or reported cases are hijacked accounts, not one-time-hacked accounts.
- Google’s help system is not at all reassuring about the security of your other google services when an account is hacked. In fact, there is not one word about how to report or escalate hacked activity in other services. I find that an egregious oversight that now puts me much more toward the school of thought that google’s combined account is a terrifying thing to be feared.
- The help forums are shallow. So are general google searches about hacked accounts.
- Google is in fact of little help when it comes to looking up information about a hacked Google account.
My Gmail account is still frozen and I hope they keep their word and unfreeze it after 24 hours. Far as I can tell, there’s simply no way to tell Google to speed things up.
Finally, it’s a strange, unnerving feeling to have your email account hacked. I’ve used email for over 12 years and this is the first time a spambot has managed to crack my password. It’s all the more surprising and worrying because I always log into Gmail securely and my passwords are robust.
There’s also the associated paranoia of my other email accounts being compromised in the same manner, which has led me to change all my passwords of all my emails, Facebook and other online accounts. Which is a lot and a lot of work. Not to mention a bloody pain in the arse.
I’m seriously thinking in investing in 1Password, which also has a delectable iPod Touch / iPhone version. Does anyone know of a comparable / better product?
At US$ 35, 1Password isn’t cheap, but the cost of a hijacked account and the havoc it can create is incalculable, so I think I’m going to go ahead and purchase this ASAP.
UDPATE
Went ahead and bought 1Password, which works precisely as advertised and after a couple hours of use is something I can recommend for users who want a robust password generation / management tools for their Mac.
The only shortcoming at the time of writing is that there is no way to access my passwords or manage them online. There are several workarounds for this though. Syncing 1Password with my iPod touch gives me access to the passwords on the go if I’m not on my Mac. The only problem with this workaround is that the new passwords I’ve generated are a mix of alpha-numeric and other ASCII characters which are rather tedious to type in manually and impossible to remember. The other solution is more elegant – a password protected web page that I can create using the programme which opens in Safari, with the ability to copy and paste my passwords.
There’s also a web based version of 1Password in the works which needs an invite to participate in.
The 1Password iPhone / iTouch app is extremely functional and beautifully designed to boot. I wish there was a way in which it integrated with native iPod Touch apps such as Facebook for seamless password management, but I guess this is impossible on these devices under strict Apple APIs. At present, the app launches the iPhone versions of Gmail and Facebook when you click on each secure account, which is not bad, but not ideal for those of us now used to accessing Gmail via the native applications.
Here’s the 1Password video (narrated by a bloke with a distinctly British accent) that’s a good intro to this programme.
doneMy Gmail is still frozen.
I’m still unsettled by this experience, but I’m reading up on this issue, I’ve installed 1Password and I’m now more diligent about logging off from website even when they are on my PC. In the interim, many many friends and colleagues have written in with stories of how their own email accounts and social networking site accounts were hacked. Some repeatedly.
It’s also been a wake up call as to just how much of data I already have “in the cloud” that could be inaccessible or worse, misused, if someone were to get access to the respective accounts. Perhaps all users who have had their privacy and online security compromised look at the web storage differently.
I know I do.
UPDATE – 20th September 2008
Lifehacker has an excellent round-up of password managers for Windows as well as OS X.
RSS - Posts
August 5, 2008 at 2:22 pm
Sanjana,
Your email account may have been ‘hacked’ – a fact you mat have confirmed by analising the email header, but anyone with aceess to an SMTP server can send emails using your name and email address – the same way i can send an e-card from a website – seemingly in my name and through my own email address, but without having to put in my username and password (when authentication is diabled on the SMTP server).
http://emailtrackerpro.visualware.com/ has a decent tool to track emails using their header. might help.
August 5, 2008 at 3:27 pm
Hi,
The very first question I have for you is :
Have you ever used a public computers to log-in to your gmail account?
This could be several months or even weeks to hours depending on which situation your in. By the time the spammer or the attacker got hold of the address it will be far away from the time your password was collected. So even though you got attacked today doesn’t mean your Gmail got hacked just today. The attacker might have had the info for somtime and used it just today! that’s why you have to change your password from time to time. at least every 3 months. My friend who got her gmail hacked got his blogspot blog hacked as well because he was stupid enough to use the same password! Probably its because he used insecure log as he logged in as legacy “http://www.blogger.com/legacy-claim.g” before google bought it. That log-in doesn’t force the https connection.
Back to public computer: when you use public terminals you don’t know what monitoring software that are running or whether the PC has malware which sends data to the attacker who is far away.
Personally I recommend you setup one more e-mail account for mobile access. So whenever you go away for a long period you basically set a forward rule to forward mails you get in your “proper” address to your mobile address. So even if you loose your mobile one you can always make another. At first it might be too much work but trust me it will go a long way!
Another good way is to securely configure your mailbox on your mobile phone and have a size limit in downloading, so you don’t get bogged down. So you don’t have to use public terminals anymore.
Remember having a great password don’t make you safe. Its the way you work and think! so think twice! Attackers are smart
August 5, 2008 at 3:42 pm
I don’t use public computers to access my Gmail account.
August 5, 2008 at 6:24 pm
Thanks Haren. However, my Gmail account was in fact hacked since the email was sent through it, to all my contacts on it. FYI, I regularly use Postfix on my Mac to send bulk emails out, so I’m aware of the method you propose.
What’s disturbing here however is that the spambot actually got into my Gmail account. And as I’ve pointed out in the post, it’s not the first time this has happened either to Gmail accounts.
August 5, 2008 at 6:27 pm
Sanjana, I’m so sorry to hear that your gmail account got hacked! Thank you for alerting your readers to this issue, since many of us rely on gmail. You’ve done us all a public service, especially by linking to Tiffehr’s post which describes the remedial measures to take in the event of a hack. Best of luck in getting this straightened out. Sending you plenty of moral support from Boston.
August 5, 2008 at 8:23 pm
Thanks Diane – it could have been worse.
This does raise the larger issue, for us both, of security for online mediation services that store sensitive client / case details.
Over the wire and local storage aspects of security can be technically addressed to the maximum degree possible, but botnets are getting more sophisticated and taking over more computers on the web, which of course increases their computing power exponentially. The challenge of user education is also paramount – as I note here, the best security often falls prey to silly practices of its users.
Sanjana
August 6, 2008 at 7:45 pm
Sanjana, you raise an important point about the vulnerability of online activities to security breaches — particularly for mediators for whom confidentiality is critical. Your point about user education is well taken — it’s not only hackers we must be alert to but also the negligence of users themselves. Your experience has really raised my own awareness. I learned from my own encounter with hacking earlier this year how important it is to have recovery plans in place.
Thanks again for sharing your experiences, Sanjana. Your blog is one of my very favorite online resources for conflict resolution and technology news and analysis, and I wish you the best as you move forward from this.
August 7, 2008 at 6:56 pm
also there might be a trojan/keylogger on your computer thats recording your gmail logins and sending it to the spammers central server…
August 7, 2008 at 6:59 pm
Netduke, thanks for that advice. I’m on a Mac and haven’t yet heard of a key-logger written to run on OS X. I also checked all the active processes as well as TCP/IP traffic and ports and there’s nothing amiss.
S
August 15, 2008 at 7:01 am
[...] and frightening at the Online Dispute Resolution forum in Victoria earlier this year. Recently, my own Gmail email account was hacked into, possibly by a [...]
September 24, 2008 at 8:40 am
[...] I did some investigation and this is pretty common. What happened to me happened to this guy here. Here’s another good account of the perils of email. [...]
September 9, 2009 at 12:19 am
[...] blog or use Gmail, Twitter or Facebook. Nothing online is 100% safe. When even the New York Times, technology-savvy conflict resolution proponents, or well-known bloggers like Robert Scoble can get hacked, it’s only a matter of time before [...]