Hacking warning from Gmail
 

I usually access gmail through Outlook but, last night, I had occasion to check the web interface to gmail. Plastered across the top of the page in red was something along the lines of,"Warning: Someone accessed your account from Latvia" (or something like that). I did a quick google search and found out that the warning was legitimately from Google. I went back, clicked on it and, sure enough, it took me to a page that, accurately, displayed the IP addresses which had accessed my gmail account (including via Outlook), with one address in the middle that showed access from an IP in Latvia several days ago. The page recommended immediately changing my password, which I did.

So, if you're like me and just access gmail from client, it would behoove you to check the web interface from time to time. I'm also not sure why Google couldn't have send me an email about the hacking, but I'm glad, at least, that they are keeping a sufficiently close eye on things to recognize when an access occurs that's out of the norm.

I suggest using Google's 2-step verification. I have the Authenticator app on my phone and whenever I log in from a new computer, I need my regular password plus the current code from the app which changes every few seconds.

Google 'James Fallow Atlantic Monthly'; his wife's gmail account got hacked, etc. Anyway, ever since then I've used the two step verification process for all my gmail accounts. It's a pain in the butt if I access from other than my own computers but well worth the extra hassle to be security conscious!

+1 on two step verification. If should be mandatory for all users.

Also check out LastPass. I use it to create random 12-30 character passwords for every site.

Absolutely. And thank you to the OP for the reminder.

I only use GMail for Newsletters, forums (although not FT), competitions etc. but I have just changed my password on the basis that it can't hurt. Thanks for the info.

+1 for sure

I work in IT for a living, and am very attentive to my passwords and keeping them random and secure. I use 1Password (similar to Last Pass) for password management, but still my Gmail account got hacked in a similar way. My password was just random characters, so no possibility for dictionary attacks.

After finding out about 2 step verification, I do have to ask myself why it's not required. The Android app makes it easy to verify any new machine. When I have to fire up the app, I do get annoyed for a moment, but then I am reminded of the embarrassment of my entire contact list getting emails about viagra or whatever it was.

Here's info on how 2 step authentication works:
http://support.google.com/accounts/b...&answer=180744

And here is a handy checklist to make sure you're secure:
https://support.google.com/mail/bin/...t.cs&tab=29488

So if a dictionary attack was not the mechanism, what was?

You're in IT and maybe can explain these things better. Would it mean that someone was intercepting traffic somewhere and watching your login credentials fly by? Or someone was able to access your account info from a leak on Google's end?

And what if you don't have a smartphone?

They can send you a code via text message. You can also print off 1 time use passwords in advance if you are somewhere without your phone.

Could be a bunch of things. Key logger, perhaps. Or a brute force attack, which could work against a shorter, simpler password. It's possible but doubtful that someone broke into a server at Google and stole an encrypted password file for a bunch of users. It's probably not likely that someone sniffed the packets at login, since Google encrypts signon by default. But it may be possible that the OP wasn't using an SSL connection for the entire mail session (just the login), which let someone sniff the session cookies and log in as him.

They can implement it like some banks have, where they e-mail, text or do a voice call to a verified number/email they have for you that you have to use to get access from a new machine.

Before you can access your account from a new device, no matter what the device, the first time, you have to enter the passcode they sent.

In my case, I would assume a brute-force attack, but it's hard to imagine Google doesn't have protections in place against that. I do force https, so it's hard to know. Maybe I used a friend's computer that had malware or keylogger or something. To be honest, the only way to be completely safe is to not use email. ;-)

I "manage" my parents' (senior citizens both) computer setups/gMail and each has had Outlook "fail" on them and either get some sort of error that Outlook can not access gMail or requiring them to re-enter their gMail passwords. While diagnosing the first occuraence - which was involved in substance "Dad, you mis-entered the password" accusations and denials back and forth - I logged into his account via gMail's web interface and saw the warning. Password changed (via the web interface) and then updated in Outlook and no problems thereafter.

So, while there isn't an explicit warning (which would be nice), in their cases, there was something ("Outlook is broken") that tipped them off to a problem.

Re: 2 Step
Neither have SmartPhones and only one has an emergency only mobile phone. So, 2 step is not a realistic option. But, Google's Application Specific Passwords is a good option
See,
https://support.google.com/accounts/...6283&ctx=topic
But, I've got to admit that given the complexity (and having to set it up remotely - and hence logging into their gMail accounts from a "new" computer far from their physical location - which could trigger Google's alarms), I approach this option with a bit of caution.

Keep in mind 2 step good for 30 days per individual computer. And you don't need smartphone. You can also print out a set of verification codes [they come in packets of 10 sets]. I do this as a backup and store in 1Password plus Dropbox. That way, if I am in remote site or overseas, can still access.