Google Blogoscoped

Forum

A Hacked Google Account  (View post)

Luka [PersonRank 10]

Friday, November 23, 2007
16 years ago11,618 views

Brrrrr scary!

Anonymous [PersonRank 0]

16 years ago #

I work for a company that provides mail service for its paying customers. I don't think my colleagues would have helped E. any better in a similar scenario.

David [PersonRank 0]

16 years ago #

You better read the following if you think support is better at Fastmail.

http://www.emaildiscussions.com/showthread.php?t=50792

Philipp Lenssen [PersonRank 10]

16 years ago #

[technical side-note: the time stamp for this post is false, because I created this a while ago but did the final edits this morning, which was when I posted. So the publication date should be Friday not Thursday, but I'll leave as is due to the permalink including the date...]

Clint Moore [PersonRank 0]

16 years ago #

Poor thing. He didn't get fast enough customer service from a company that provides him "my Gmail, [my] calendar, my bookmarks, Picasa, my blog, and with Google Checkout." for free? That's gotta be rough.

David T [PersonRank 7]

16 years ago #

Interesting article thanks Philipp. I find it particularly interesting as within this month I just moved from Fastmail to Google Apps Gmail.

I can honestly say that Fastmail's support is amazing, contrary to what David said above. During my 3 years with Fastmail with an advanced subscription they always responded quickly and politely, happy to resolve problems I created, such as accidentally deleting a whole folder! lol! They just restored it for me within an hour or two of contacting them!

The big issue I have with Google is support, lets be honest, they don't seem to care about personal support and certainly versus a relatively small company like fastmail, they can't at the moment compete.

I moved over to Gmail for financial reasons. Although fastmail was only $40 a year, it was $40 I couldn't afford... And with Google offering IMAP support and domain hosting, I figured I could improve my webmail interface as well as save a few dollars/

If that case had happened to me that you wrote about Philipp, I could have just changed my MX records with my host, paid the $40 for fastmail, and pointed my MX records for my domain back to fastmail... As I use IMAP and thunderbird, all my mails are backed up, so actually I would have only lost a few days emails... So my email situation wouldn't have been too bad, and thankfully I'm not a blogspot user...

Let's be honest, it is scary how much power Google have over us as there users. I suppose we all need to have a solution of how to avoid getting screwed by them if one day something goes wrong.

David T [PersonRank 7]

16 years ago #

Clint, you seem to forget how much Google profit from us as users using their services! It's their business plan: they provide tools for free because through their advertising on those services we use, like GMAIL they generate money! It's not out of the goodness of their own hearts....

Crash [PersonRank 1]

16 years ago #

True. Everyone needs to think. Eggs in one basket. Are we ready to whatever happens henceforth?

David [PersonRank 0]

16 years ago #

David T, as a Fastmail customer myself 'I can honestly say' that you were one of the lucky ones. Yes, support *used* to be great (I've had to use it myself on occasion and replies were prompt) but it appears that – as a relatively small company – Fastmail is running low on resources/ man-hours resulting in customers being let down. As these are *paying* customers that is inexusable IMO.

Like you, I'm moving away from Fastmail – partly for financial reasons and partly because the line has been blurred enough for me to find the features I need in Gmail. YMMV.

Best,
David

Reto Meier [PersonRank 10]

16 years ago #

The way I see it, the big problem is that there's no easy, difinitive way for me to prove to a person at Google, on the phone, that I am me.

I should have the option to register a bunch of personal information with Google for the specific purpose of later verifying my identity. It should be opt-in, but for many of us that use Google services professionally I'm happy to tell them whatever they need for me to confirm my identity later.

Then, if I can't get in to my account there should be a number I can call that will let me speak to a person, confirm my identity, and reset my password.

The current scenario is unworkable, and a remnant from when noone used web services for anything serious. Google changed that. Now Google needs to deal with the implications.

Philipp Lenssen [PersonRank 10]

16 years ago #

> True. Everyone needs to think. Eggs in one basket.

I once asked security expert Bruce Schneier if he thought "diversifying" your services would be more safe or not (full question: "People using online apps have the chance to either go for *1* service maker (say, Google) to host *all* of their data. Or they can diversify and use *several* service makers to host *a part* of their data each. In both cases in this hypothetical example, the user stores all of their secret data online. Considering that account credentials can be stolen through web application bugs and such, how would you evaluate the two "risk zones"... what are the pros and cons?")

His answer:

"I think the difference is in the noise, and it doesn't really matter."

chipseo [PersonRank 1]

16 years ago #

I am not sure if a paid service would help him any more than Google. Just because it is free doesn't mean they don't care anything about it, or want to resolve the issue, but I would say it is better to do something ahead of time.

I have a backup account for each one of my google accounts in case such an event happens. I would suggest it if you don't have one. Scott

Reto Meier [PersonRank 10]

16 years ago #

Loosing the data is bad. Someone else having 7 years worth of your email is significantly worse. Especially when you've got password confirmation emails from other services, bank statements etc.

Backups don't help there.

Octavee [PersonRank 1]

16 years ago #

like Reto Meier said, there should be a procedure in cases like this which protects or restores the identity when needed. One thing of course is having a more secure password to beginn with. But an emergency system to block and later resore the account access would be handy.

E. [PersonRank 1]

16 years ago #

I did have a very secure password: a randomly generated set of 20 characters, consisting of numbers & letters.
I never clicked on the link in the e-mail from Google, but from my own research (headers, etc...), the e-mail was indeed from Google.
My being locked out of the account was after I sent the "lost password" e-mail to their abuse & phishing e-mail addresses respectively, and asked them what was going on.
Was I hacked? Was it a tech error? I will never know, unless I want to hire a lawyer, and get a subpoena.

E. [PersonRank 1]

16 years ago #

What disappoints me the most, was that I was such a big Google proponent. I used Google for everything, all of their services, and apps.
I recommended them to everyone: family, friends, co-workers, etc.... .
I had a secret wish to work for Google at one time.
What did this loyalty bring me?
As I said, I do realize I was at fault, in that I put all of my eggs in one basket, relying solely on Google.
You get what you pay for when it is free, even though you are viewing the advertisements.
I have learned my lesson, and I hope it will help other people be more cautious.
I have no idea if Fastmail was the best choice I could make, but compared to the choices I made in the past, it was better one.

David T [PersonRank 7]

16 years ago #

E. I don't think you'll regret moving over to Fastmail. I wish you all the best with the move and thank you for sharing your story with us all, its a bit of a wakeup call.

D'Hoffryn [PersonRank 0]

16 years ago #

Fastmail Rocks!

   I have been with Fastmail for years, and have *always* received a fast and effective response and solution from support there.

Bart [PersonRank 0]

16 years ago #

Me too...I check my fastmail account more often than my Gmail account.

More importantly, Fastmail has this amazing feature: If you mis-type a password (or if someone tries a brute-force) then, the next time you login, the time-stamp of the invalid login is displayed. I am sure, the poor user in the post would have easily known if someone was indeed hacking his/her account – of course, assuming that the hacker had to try more than once! ;)

Another neat feature, I like in Fastmail is their "Bounce" Mail feature....Go check it out!

I have to stop now...before I sound like a Fastmail employee...but well, I am not! I have been an avid *FREE* Fastmail user for the past seven years!

ps: I wish they would move over to ajax and call themselves fastermail! :)

David T [PersonRank 7]

16 years ago #

Yeah Bart, the bounce mail feature of fastmail is great, I miss that now on Gmail... Also the fact you can send from any address on fastmail is sweet too! All this talk of fastmail is making me wanna return! lol!

Marcin Sochacki (Wanted) [PersonRank 10]

16 years ago #

[put at-character here]E.:
First of all, let's state that anyone can generate a legitimate "lost password" e-mail from Google provided they know your Gmail address. Knowing that, a possible scenario about how your account was hacked could be the following.

An attacker knows both your e-mail addresses: at Gmail and the secondary one. He gets control over the second account in some way, but realizes that you use Google account as the primary one. So he goes to gmail.com, sends the lost password recovery e-mail in your name, reads your secondary inbox and resets your Gmail password.

Of course that's only my theory, but I would recommend checking your secondary account security.

On a side note, I find it difficult to believe that you actually used a 20 character long random password and typed it every single time when you logged in.

orhan [PersonRank 1]

16 years ago #

this issue has been on my head nowadays. I've put all my eggs in google basket. what if one day that basket falls? Do I have to back up my data somewhere always? Isn't it Google's responsibility to protect my data? See, Google is a "company" that lives by online customers. And web companies do look like banks. One is storing our money, the other is storing our data. So, web companies must act like banks in security issues. As being online everytime, they are open to security attacks every second.

One solution may be mobile phone alerts/notifications/support as mobile phones are ubiquitous. Whatever. I think this is the main issue waiting for Google (and other web companies) to ponder and solve on next years. And this must be an international solution as I am a customer outside the U.S.

Claire [PersonRank 0]

16 years ago #

Exact same thing happened to me earlier this month. My Gmail (and eBay) accounts got hacked by some guy in China, and while it took eBay 5 minutes to fix everything, Google took a week .. but I got my accounts back. Luckily all my emails were still there and I don't think the hacker did anything with my important info ... and while I'm still using Gmail, it's now through POP with Thunderbird, so at least I have copies of everything should something go wrong in the future.

E. [PersonRank 1]

16 years ago #

As I said. I never clicked on the link in that "lost password" e-mail. I simply forwarded it to Gmail (abuse & phishing) from the Gmail account in question.
Second: I never lost control of my secondary account. It was Yahoo, and I set up a pin #, security question, and answer, etc... . As soon I saw that I had problems with Gmail, I changed the password at the secondary e-mail immediately.
Third: I used a password generator for my password, I then stored it in an encrypted file on my PC, which I then did a copy & paste when I needed to log-in to my account.
Before using the 20 random character password, I had a 16 random character password, which I remembered by rote, because I typed it in so often. Sorry if that is hard to believe.

E. [PersonRank 1]

16 years ago #

P.S.
I am not surprised that some will eventually blame the user.
Ever read the book: "Why Software Sucks"?, or visited security guru Steve Gibson's site? It's not always the user's fault. Although granted, there are some that are not vigilant at all.
I'll add that my PC has plenty of security on it: Comodo Firewall, Avast Anti-Virus, Windows Defender, Comodo BoClean, Spybot Search & Destroy Resident Shield.
I run scans with AdAware, Spybot S&D, A-Squared Free, CureIt, Clamwin A/V, etc... .
I have been a strong believer in the motto: "It pays to be paranoid.".

E. [PersonRank 1]

16 years ago #

Here is a link to an article about (from the page): "Software designed to exploit the much lauded Gmail service has been released this week. Aptly named "Gmail Hack" the software performs Dictionary and Brute Force Attacks against a GMail email account.

The software is a windows based application that requires no technical knowledge to use. The only information you need to be able to crack a users account is their username (the first part of their @gmail.com address)."

Gmail Expolit – Google email being hacked?
http://www.webpronews.com/enterprise/enterpriseonline/wpn-13-20040809GmailExpolitGoogleemailbeinghacked.html

Yes, this is an older story, but: "as the representative of AusPhreak said "we will try and get around any future security they put in place" ".

[Formatting fixed – Tony]

Sylvain [PersonRank 1]

16 years ago #

Mr David T sounds like he is on Fastmail's payroll
what's all this nonsense about leaving Fastmail for Gmail because "i can't afford to pay 40$ per year anymore" only to end up trashing Gmail while lauding Fastmail – why did you move over in the first place then?
Fastmail needs to be a bit more subtle when trying to spike blogs such as this one with their viral marketing...

E. [PersonRank 1]

16 years ago #

Viral marketing? Spiking blogs?
Sorry, but it was I who brought Fastmail up in the first place.
Because I was looking for a better alternative to Gmail after what I had went through, I needed customer service, and tech support (which I wasn't getting from Gmail).
If you need to blame someone for bringing Fastmail up, then blame me.
I can't afford the $40.00 either, but I felt it was a small price to pay.

Marcin Sochacki (Wanted) [PersonRank 10]

16 years ago #

[put at-character here]E.
Regarding Gmail Hack, if all that it did was a brute force password guessing, it should rather be called Gmail Crack. I suppose it used to work because in the early days of Gmail (2004) they didn't have the login rate limiting.

The software is irrelevant now, because when you use a bad password a few times you have to solve a CAPTCHA, hence it can't be (that easily) automated.

I'm not trying to blame you, but rather trying to find a plausible method they could have used. Gmail vulnerability (which Google could have silently fixed thanks to this hack) is one of the possibilities, but others exist too. It is clear from what you say that you are cautious and paranoid, so the security of your machine was likely not compromised. In that case another weak point, besides hacking the Yahoo account, is the sniffing attack – SSL is actually only used when you log in to both webmails, but actual content of e-mails travels unencrypted by default.

Someone between you and the ISP, or at the ISP itself could easily perform this kind of attack.

Ken [PersonRank 0]

16 years ago #

Uh, I'm guessing people are bringing up Fastmail because they think it's a pretty good e-mail service. I read through this and didn't post, but after the typical "...sounds like he is on Fastmail's payroll" post, I wanted to post here. I think people are posting here because they use Fastmail and think it's a premium e-mail service that might be a good alternative to gmail.

I've used Fastmail for around 3 years now and my experience has been that it's a top notch service. It's not perfect, or at least it hasn't been in the past, but it's always been very good. Frankly, one of the reasons that I didn't mind paying for an e-mail service when everyone else was using free services, was that I've always found Fastmail's Customer service to be outstanding. People should get used to reading posts in which people talk about alternative services, it's called the internet, and it's a big world out there with lots of divergent ideas. Gmail is a nice service and I may even switch to it because it's free, but if you want a good pay-email service, you probably can't go wrong with fastmail.

bram [PersonRank 1]

16 years ago #

But it is so easy. Just forward all mail you receive in your Gmail account to another account, e.g. Livemail

NRP [PersonRank 0]

16 years ago #

I have google apps with my own domain listed. Some family members use that do read their emails.
I forward all messages to my fastmail account and reply using a personality.
SPF records on DNS allow my domain to send mail via Gmail or Fastmail, so everything works.
For me, the key thing is IMAP. Gmails implementation is not complete and still has some flaws.
Fastmai lis just perfect in this regard.

mrbene [PersonRank 10]

16 years ago #

Marcin, E.

   It is theoretically possible that the method in which the "change password" email link is created was compromised. This link is automatically generated by a specific algorithm, so that it can be recognized when you click on the link.

   If a 3rd party has discovered or acquired the algorithm, random key, and additional salts to the process, any Gmail account would be accessible, with the exact experience that you had.

   This type of vulnerability could be addressed if user-provided information were included as a salt to the generation of password-reset link, creating not only a unique link for each recovery request, but also a unique generation process for each user.

/mrbene.

Rotten Turkey [PersonRank 0]

16 years ago #

Well, I was hacked on Nov 21, and I'm still sitting in silence. Nothing from Google. Nothing. Zip. They are sleeping off too much turkey. I had all my docs, email, web page, Amazon store, blog...and picassa pictures on this account. The gest of the support on the Google blogs was it's my fault for not using a good password. So... Google makes billions off us "lab rats" and this is what we get. Nothing. At the least the account should lock down if someone fills out a complaint form. But Google protects the criminals over the users. It's a mess and I am so sorry for anyone who is where I am--hell.

E. [PersonRank 1]

16 years ago #

The only other time I was not logging into secure gmail (https), was when my dial-up connection was especially slow. Then I'd use http://m.gmail.com .

I still think it was hacked via another method, or here's this possibility: Google/Gmail locked the account down after I forwarded to them that e-mail, which maybe they shouldn't have done (and they didn't want to admit their mistake).

But there were some clues that led me to believe it was hacked:
After my account was reset, my e-mail settings for forwarding were set to this:
forwardingisdisabled[put at-character here]gmail.com(there may have been dots
between each word, I forgot to copy it down).
Also, when I went into my account settings, I discovered this:
   Tom (nickname)
   Zip code: 10001

I welcome an investigation into this by the top brass of GMail. If they want copies of everything, and the full story of what happened, please let me know.

js0n [PersonRank 1]

16 years ago #

Sorry! but he should be thankful that Google reset his password. I find it surprising that policy allows such action.

Andy Wong [PersonRank 10]

16 years ago #

How typical!

Google Services are so good and powerful, we can hardly resist the temptation of putting all eggs into one basket, at our own conveniences, and at our own risks.

I do think Google can do better if she want. I had sent suggestion to Google with content of this blog.

http://webandlife.blogspot.com/2007/11/how-to-recover-stolen-google-account.html

Marcin Sochacki (Wanted) [PersonRank 10]

16 years ago #

[put at-character here]E.:
> The only other time I was not logging into secure gmail (https),
> was when my dial-up connection was especially slow.

I meant the connection *after* you sign up. It is unencrypted by default, in Gmail and Yahoo (you can manually change the URL in Gmail to https later, but few people know about that. Don't know if that trick works for Yahoo webmail too.).

The scenario I had on my mind goes like this:
- they somehow were able to read your mail from Yahoo, e.g. via sniffing,
- they wanted to get the Gmail account, so they went to the "lost password" page and requested the reminder to be sent to the secondary account,
- now they wait for you to read your mail,
- once you see it, they get it too (sniffing plain HTTP),
- you send the suspicious mail to Google, but in the meantime they click the link in your mail and get hold of your account,
- they change account info and you manage to see it for a while,
- then they change the password and you're locked out.

I realize this is one of the possible theories. Discovery of lost password URL generation, as mrbene mentioned, is plausible too. The correlation between receiving the lost password e-mail and account takeover doesn't seem accidental.

David [PersonRank 0]

16 years ago #

And the Fastmail fanboys have flooded ANOTHER discussion.

David T [PersonRank 7]

16 years ago #

This has been an interesting discussion...

Sylvain, let me just clarify what I said, I just LEFT fastmail!!!!!! You think I'm on the fastmail payroll, LOL, you're wrong.

All this nonsense about not being able to afford $40 p/a might seem stupid, but as a student who just got married I've had to cut back as much as possible... So I changed host from Surftown to Hostmonster and changed my mail from Fastmail.

The point has never been whether Fastmail is perfect, but just that it is a good alternative to Google for email. I honestly don't think I'll ever go back to fastmail as I like Google webmail interface more than fastmail, however, if I could have afforded to, I would have stayed with fastmail.

Nevertheless, for those looking for an alternative to Gmail, I would def recommend fastmail.

"Fastmail needs to be a bit more subtle when trying to spike blogs such as this one with their viral marketing..." This is rubbish!!!!!!!!!!!!! I'm not a Google spike, I've been reading this blog for several years now, and deserve to be respected like any other person posting without being labeled a spike thank you very much!!!! The IP logs that Philipp has access too can verify that, so give me a break please Sylvain.

e. [PersonRank 1]

16 years ago #

http://www.davidairey.com/google-gmail-security-hijack/

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!