Hacking warning from Gmail
 

I usually access gmail through Outlook but, last night, I had occasion to check the web interface to gmail. Plastered across the top of the page in red was something along the lines of,"Warning: Someone accessed your account from Latvia" (or something like that). I did a quick google search and found out that the warning was legitimately from Google. I went back, clicked on it and, sure enough, it took me to a page that, accurately, displayed the IP addresses which had accessed my gmail account (including via Outlook), with one address in the middle that showed access from an IP in Latvia several days ago. The page recommended immediately changing my password, which I did.

So, if you're like me and just access gmail from client, it would behoove you to check the web interface from time to time. I'm also not sure why Google couldn't have send me an email about the hacking, but I'm glad, at least, that they are keeping a sufficiently close eye on things to recognize when an access occurs that's out of the norm.

I suggest using Google's 2-step verification. I have the Authenticator app on my phone and whenever I log in from a new computer, I need my regular password plus the current code from the app which changes every few seconds.

Google 'James Fallow Atlantic Monthly'; his wife's gmail account got hacked, etc. Anyway, ever since then I've used the two step verification process for all my gmail accounts. It's a pain in the butt if I access from other than my own computers but well worth the extra hassle to be security conscious!

+1 on two step verification. If should be mandatory for all users.

Also check out LastPass. I use it to create random 12-30 character passwords for every site.

Absolutely. And thank you to the OP for the reminder.

I only use GMail for Newsletters, forums (although not FT), competitions etc. but I have just changed my password on the basis that it can't hurt. Thanks for the info.

+1 for sure

I work in IT for a living, and am very attentive to my passwords and keeping them random and secure. I use 1Password (similar to Last Pass) for password management, but still my Gmail account got hacked in a similar way. My password was just random characters, so no possibility for dictionary attacks.

After finding out about 2 step verification, I do have to ask myself why it's not required. The Android app makes it easy to verify any new machine. When I have to fire up the app, I do get annoyed for a moment, but then I am reminded of the embarrassment of my entire contact list getting emails about viagra or whatever it was.

Here's info on how 2 step authentication works:
http://support.google.com/accounts/b...&answer=180744

And here is a handy checklist to make sure you're secure:
https://support.google.com/mail/bin/...t.cs&tab=29488

So if a dictionary attack was not the mechanism, what was?

You're in IT and maybe can explain these things better. Would it mean that someone was intercepting traffic somewhere and watching your login credentials fly by? Or someone was able to access your account info from a leak on Google's end?

And what if you don't have a smartphone?

They can send you a code via text message. You can also print off 1 time use passwords in advance if you are somewhere without your phone.

Could be a bunch of things. Key logger, perhaps. Or a brute force attack, which could work against a shorter, simpler password. It's possible but doubtful that someone broke into a server at Google and stole an encrypted password file for a bunch of users. It's probably not likely that someone sniffed the packets at login, since Google encrypts signon by default. But it may be possible that the OP wasn't using an SSL connection for the entire mail session (just the login), which let someone sniff the session cookies and log in as him.

They can implement it like some banks have, where they e-mail, text or do a voice call to a verified number/email they have for you that you have to use to get access from a new machine.

Before you can access your account from a new device, no matter what the device, the first time, you have to enter the passcode they sent.

In my case, I would assume a brute-force attack, but it's hard to imagine Google doesn't have protections in place against that. I do force https, so it's hard to know. Maybe I used a friend's computer that had malware or keylogger or something. To be honest, the only way to be completely safe is to not use email. ;-)

I "manage" my parents' (senior citizens both) computer setups/gMail and each has had Outlook "fail" on them and either get some sort of error that Outlook can not access gMail or requiring them to re-enter their gMail passwords. While diagnosing the first occuraence - which was involved in substance "Dad, you mis-entered the password" accusations and denials back and forth - I logged into his account via gMail's web interface and saw the warning. Password changed (via the web interface) and then updated in Outlook and no problems thereafter.

So, while there isn't an explicit warning (which would be nice), in their cases, there was something ("Outlook is broken") that tipped them off to a problem.

Re: 2 Step
Neither have SmartPhones and only one has an emergency only mobile phone. So, 2 step is not a realistic option. But, Google's Application Specific Passwords is a good option
See,
https://support.google.com/accounts/...6283&ctx=topic
But, I've got to admit that given the complexity (and having to set it up remotely - and hence logging into their gMail accounts from a "new" computer far from their physical location - which could trigger Google's alarms), I approach this option with a bit of caution.

Keep in mind 2 step good for 30 days per individual computer. And you don't need smartphone. You can also print out a set of verification codes [they come in packets of 10 sets]. I do this as a backup and store in 1Password plus Dropbox. That way, if I am in remote site or overseas, can still access.

Another good tip, feature. That. Could. Work. For the parents. Maybe. I could print out the list of 10 and give it to them and say, listen every 30 days, outlook is going to come looking for a new password to access gMail, just use the next one on the list. Yes, they'd have a printout list of their next ~10 months worth of passwords sitting there (knowing them, right next to their computer). But, it's in their house. On the grand scale, the guy breaking into the house would probably be more interested in the physical computer than what it had access to.


Thanks for the tip.

No, this is incorrect. The 10 codes are just for accessing Gmail from the web. If you're using Outlook you generate a device-specific password and give that password to Outlook. Device-specific passwords don't expire, so you'd never need to change them.

I access gmail on my computer via the web, and was referring to accessing it via the 2 step verification process. I don't use Outlook so unfamiliar with how it would work. On my iPhone, it is a device-specific password but I thought OP said his parents don't have smartphones?

I was referring to jsnydcsa's scenario, where his parents use Outlook to access Gmail. In that case, you'd use a device-specific password for Outlook to access Gmail.

Thanks for the clarification. That makes it even easier! S/S 'Listen Mom and Dad, your password is a randomly generated code of gobbledygook. That's the most secure and it's at least program - Outlook - specific. Just go with that for me, please.' Sip Jameson's (no, wait, summer, sip Hendrick's) and wait for their baffled response. Repeat.

Dad just picked up a Dell laptop ("the iPad is too difficult"), so I'm setting that up this weekend and may implement this.

I feel ya bro, I sometimes wish I'd never pushed my parents to start using a computer. :D

The iPad is too difficult, so he got a laptop?? If an iPad is too difficult perhaps a good old fashioned telephone is in order... :)

Summer doesn't begin until Memorial Day! You've still got a month to drink brown liquor. :)

I'm right there with you on that!

To bring it full circle. I set this device specific password up over the weekend and it's working like a charm. Parents both appreciate the added security.

Other memorable parental computer-related quotes and actions:

"The internet is broken." [Not connected to Wifi]

"That's not right." [Response to email retention TOS policies of various providers discussion]

"It fell." [Response to question. How did the back of the monitor make a perfect impression through the drywall behind it?]

"I just keep them here." [Showing a small reporter's notebook of frequently used email addresses rather than using Outlook Address book. So focused on typing and reading from pad, didn't notice auto complete feature in action.]

"But Mr./Mrs. [insert name] always tells such funny jokes." [Response to my command to stop opening, reading, clicking on links for or forwarding RE: RE: RE: RE: FWD: FWD: FWD: emails from friends and neighbors.]

Re: Phone. They still have several old four-prong telephone outlet plugs in the house.

The Google 2-step is a bit of a pain in the butt, but it does seem to be more safe. ^

I just started using it after reading this thread. I'm not yet 100% sold on it. It definitely makes my Google account safer from hacking, but it adds a hassle factor.

Yeah.. I also worry about situations in which I need to use a computer to quickly find something in my email and I don't have my phone with me or something. I suppose those situations are rare, but I do worry about the odd exceptional situation.

They do offer a list of 10 "backup codes" that when printed is similar to the the size of a credit card. Each code can be used once. I keep mine in my wallet.

Yeah I did that too. Still nervous. :)

It also is a pain if you use a computer that is set to not allow cookies.

.


I like 2 step authentication, I use it myself. But what about for my parents, who are rudimentary cell phone users, and not only that, travel enough overseas that they can't receive the verification codes while on the road?

I suppose I just have to hope they don't get hacked? Or ask them to make their passwords longer?

That's frequently the trade off: extra security causes extra hassle. This is why do many people take shortcuts and wonder why they have been hacked.

Super helpful... thanks for taking the time to tip us off!

I rely on Googles 2-step verification. On my primary work computer I have Firefox set to "Ask website not to track me" and the result of that is that I receive a new text every time I close and reopen the browser. Two times I have had to use the emergency codes I carry in my wallet.

I wish apple would introduce a similar 2-step verification for Apple ID:s. I am a bit troubled with iClouds backups being accessible with only an e-mail and simple(ish) passwords. Since you have to enter the apple id password so often I keep it manageable. The best route to take here is perhaps to create a new apple-id for iCloud and use a real beast of a password there.