Monday, April 19, 2010


So around 1:13am or so last night I get an incoming text on my phone. Which is unusual. I check to see who it could be and the message only seems to contain some kind of spam link. I'm about to get angry about random SMS marketing when I realize that the spam message originated from my own Gmail account.


I log into my Gmail, and sure enough I see a boatload of returned mail messages for emails that I sure as heck didn't send, almost all of them to people in my Contacts whose name begin with A. The Sent Mail folder confirms that my account has been sending out email for several minutes now, and as I check at the bottom of my inbox I see that there is another user logged in to the Gmail account. This is not suspicious in and of itself, as I may be accessing my email from one of several computers in the house, but the IP address sure as heck isn't anything local.

Clicking for details, I see that a mobile user in Russia is accessing the account. I immediately log the spammer out, change my password, and wonder if our home computers have been hacked. Looking at the event logs in our firewall, I don't see the same IP address anywhere, however, so I start trolling Twitter and the Google forums to see if this is currently happening to anyone else.

As it turns out, I do in fact find a thread about my recent Gmail woes. Apparently something like this has been going on with Gmail accounts for a few weeks now, although the activity clearly seems to have spiked over the past 24 hours or so. The Gmail employees monitoring the forums are as helpful as they can be given the unknown nature of the threat, but it's clear from a cursory glance at the other users posting that these aren't your typical phishing victims.

A possible theory advanced in the thread was that another web service was hacked and that the passwords stolen from that database were used to try to access various users' Gmail accounts, based on the assumption that even otherwise prudent and tech-savvy users may be lazy enough to use the same password across several different accounts. I am one of those prudent yet lazy folk, so this seems entirely possible to me- a theory which only seems to be further confirmed when I realize that one of my throwaway Gmail accounts was also hacked. Since I never even log in to this second account, the only plausible connection between it and my main account is that I used the same password for both (though I've since changed them, as well as other account passwords, to their own unique strong passwords).

So what does Google have to say about this? Nothing yet, officially, although people are beginning to talk about it beyond the Google forums and Twitter. Even if you haven't seen any suspicious activity on your own Gmail account, now might be a very good time to change your password, as another working theory is that whoever is compromising these accounts is doing so in small batches so as to avoid detection.

Regardless of whether or not this may be the case, you definitely want to change your passwords if you are using the same password across several different web services. Google's servers may be as hard as Fort Knox to crack, but your account is only as safe as the weakest database out there in the aether that you've entrusted your password to. I feel stupid for being lazy now, but I'm glad that the person who did hijack my Gmail accounts wasn't able to do any lasting damage before I locked them down.

(The other thing you should definitely do RIGHT NOW is go to your Gmail settings and choose "Always use HTTPS" option under Browser Connections if you haven't already!)

In the meantime, sorry if I winged you with an ad for viagra. If I'm going to pimp anything to my Contacts, it's going to be for my novel Confessions of Gourmand- the Kindle edition is only $0.99 on!

UPDATE: Another piece of the puzzle? The New York Times reports today that when Google was attacked back in January, presumably by Chinese hackers, the target of the intrusion attempt was Gaia, its password system for Gmail and other Google account services. Although Google claims that no passwords had been stolen at that time, it's getting harder and harder to believe the recent account hijackings being reported over the past 24 hours are just a coincidence.


LibrariNerd said...

What a pain! Oddly my account was temporarily suspended by gmail last week, but I couldn't find any evidence of suspicious activity (the only IPs logged were my home and work, no sent messages, etc.). Changed my password anyway, of course... it makes me nervous, but what else can you do?

leah the librarian said...

This is a great post. Thank you for sharing. I had no idea there was a https option!

Andromeda said...

Thanks for the warning. I've done the https step and checked my passwords -- astonishingly I can't think of anywhere else I use my gmail password (I make a point of not using it at places where my gmail account is my login, anyway). So far so good. *fingers crossed*

Tom said...

Thanks for the comments, everyone! I hope none of you have to endure this, though I guess considering I caught the spammer early I got off rather easy...

Blogger said...

eToro is the best forex broker for new and professional traders.