So I had the joy of waking up this morning to 55 emails in my inbox, all bounce back emails from when apparently my gmail account was compromised and everyone I had ever communicated with was spammed. Obviously I changed my password right away and luckily it isn't a password I use for other things (although I took this opportunity to change all my important passwords).

What I am wondering is how they got in and if I need to do anything else to protect myself. I haven't logged into this account in a while, I mainly just use it to forward any emails received to my main gmail account. When I logged in and went to activity information it shows no unusual activity at all. It shows that I logged in on July 17th from my same IP and that is the only other instance.

I only use an up to date iMac, iPad, iPhone, and then a ThinkPad is my work computer but I doubt I have logged into that account with my work computer. I have Sophos on my iMac and it hasn't detected any virus or anything, should I just chalk this one up to a brute force hack job and make stronger passwords next time? My biggest concern is that I have a keystroke logger on my machine, is that something I should be concerned about and is there a way to check for one that doesn't involve just reformatting my computer?

7/28/2013 11:25:35 AM

If its gmail and you use it so infrequently do you have an issue with 2-step verification?

7/28/2013 12:08:13 PM

What is weird is I thought I set that up when they first offered it. I even made my wife put it on hers but when I went to check today it was turned off.

7/28/2013 1:22:35 PM

Quote :

"one time i got hacked from somebody in china and i literally saw it happening i had my own gmail window open and started seeing a bunch of undeliverable notices pile up in my inbox, i was like and went to my Sent folder and saw a bunch of spam messages to pretty much my entire contact list in there, then a few seconds later they had been deleted. went back to my inbox and the undelivered notices were gone too. those spammers are crafty. i hate them. :mad"

7/28/2013 1:29:54 PM

not much you can do imo besides change the password to something more complicated.

some motherfucker did it to me once from like vietnam or something, but seems this is becoming less common since gmail notices where strange ips log in.

7/28/2013 3:01:27 PM

Two factor that bitch.

7/29/2013 6:54:27 PM

A friend of mine had pretty much the exact same thing happen to his main gmail account a week or so ago.
I got a sketchy looking email from him with well over 100 addresses in the "To:" field. When I sent him a screenshot and asked what was up, he looked into to the login history and saw that he had been hacked by an IP from Taiwan. They even changed his password, but he recovered it.

2-factor got set up immediately on all his accounts... Including Dropbox and Facebook.

Good luck man!

7/30/2013 12:48:02 AM

My dad has given my email address as his recovery address.

So about a week ago, I wake up and see an email in my inbox from gmail saying somebody had tried to login to my dads account from Thailand, but they had prevented the login because it seemed fishy.

Continue upwards to newer emails and see that my dads account's password has been changed.

Continue further upwards and see spam sent out from my dads account to all his contacts.



Ok wtf google

You prevent someone from logging in from Thailand, great, but then an hour or so later, not only do you let them login, you also let them change the password. Seriously, that's not cool.

Had to spend a good part of the evening trying to recover the account. Once we did, we checked his inbox, it was full of the undelivered spam to like 20 addresses. Checked the sent mail, and not only had they deleted the spam they sent, which was just one message, but they also deleted all his sent messages after July 1. Why the hell would they do that?

Anyway, I am really angry at google for preventing the login from Thailand and then letting it take place. Would it be any use if I complained to them?

Also, how do these people crack the passwords, and also, do they target any specific accounts or just any random accounts?

7/30/2013 3:46:37 AM

That is another reason I am confused how this happened since I don't see any unusual activity. Only other login was July 17th from where I live.

7/30/2013 11:09:58 AM

Session hijack.

7/30/2013 12:35:56 PM

^HTTPS makes that much more difficult.

7/30/2013 11:21:36 PM

Quote :

"Anyway, I am really angry at google for preventing the login from Thailand and then letting it take place. Would it be any use if I complained to them?"

How much is your dad paying Google for his email service?

7/31/2013 2:11:10 AM

He lets them read all of his emails and allows them to send him targeted ads

7/31/2013 7:20:48 AM

^^ I don't understand what you are trying to accomplish with that. We all know gmail is a free service. So are you saying if he was paying for more space, then gmail would have been stricter in their controls?

Look, if they let the hacker login from the very beginning, I wouldn't say a thing.

But they, on their own, stopped the hacker, and even informed me/him about it, but then a bt later let the hacker login. This is stupid inconsistency and going against their own prior action. So if the service is free, that's ok?

7/31/2013 8:52:43 AM

^You are being excessively aggressive about this, so I'm leaning towards computer illiteracy on your part, especially if it took an entire evening to recover the account. But perhaps I'm wrong. Let's get some more information.

1. So Google prevented the hacker from logging in from a Thailand address. That's good and fairly easy to catch. When they successfully logged on later, was it still from a Thailand address? I'm guessing no. They probably used some other method to log-in from a USA related IP or found some way to spoof it. The first run was probably a happy-path attack to see which accounts needed more finagling to get into (the difference between walking through an open door vs a locked door when you have the key in both instances).

2. They stopped the hacker the first time and they notified you. Did you see this notification BEFORE they successfully logged in? If so, sweet-baby-Jesus why didn't you change your password and scan all your computers for malware?

3. If you don't see tons of suspicious activity on your account prior to the hack, its likely they had the info prior to trying to hack you. Especially if they are just stealing information and spamming others. Likely causes:
-You have malware on computers that you look at gmail on. If this is the case, you'll probably be hacked again after you log on the next time from that computer. Scan scan scan...
-Your log-in credentials for another site have been compromised. Thus, they try to use the same credentials on gmail, which is usually pretty straight forward since email accounts make decent usernames these days.
-You entered your email and password as information on a phishing site or legitimate looking site that still steals your information.

---

There is only so much Google can do. They blocked something sketchy. They notified you, and I'm guessing you didn't take proper corrective actions. Short of locking out your email account, they followed proper procedure. The only thing I can see that Google could have done differently was immediately lock your account when the sketchiness occurred. That would be terrible, though, since the hackers could then launch DoS attacks against your email account simply by attempting to log in.

Learn the interwebs and prosper!

7/31/2013 2:42:30 PM

Quote :

"That is another reason I am confused how this happened since I don't see any unusual activity. Only other login was July 17th from where I live."

Maybe you never really got hacked at all (b/c I don't *think* they can delete that account activity). They may have gotten your e-mail address from the contact list of someone you know and then spoofed your address to send a bunch of junk. So then you get all the bounces.

i.e: https://support.google.com/mail/answer/50200?hl=en

7/31/2013 4:00:16 PM