Join 3,514 readers in helping fund MetaFilter (Hide)


Microsoft, leave my Gmail alone.
April 12, 2011 11:01 PM   Subscribe

A while ago, my Gmail account notified me of suspicious activity. The IP that accessed my account seems to be from Microsoft.

The notification told me my account had been accessed from the U.S. (I don't live there). The IP, according to Whois, is Microsoft's. It accessed my account via Atom feed, the last access was an hour ago. The first access, from 5 days ago, says "Unknown access type".

The Gmail address (actually, a Google Apps account, it uses one of my domains) has been set to always use https. My other Gmail/Google Apps accounts haven't been compromised. I only use Macs and don't use any Microsoft software. I have a Passport account with that same email address to use MSN messenger (with Adium, not the MSN client), using a different password.

I have a Blackberry, although I'm not currently using it to check my email. However, I occasionally check it from my iPod touch + WiFi.

I've already changed my password, but I'm kind of freaking out. I'm hoping there's a stupid explanation, perhaps related to MSN. Thanks!
posted by clearlydemon to Computers & Internet (16 answers total) 17 users marked this as a favorite
 
One of Microsoft's hosts could be compromised, used indirectly as a vector for cracking accounts.
posted by Blazecock Pileon at 11:42 PM on April 12, 2011


Web crawler run amok, possibly seeded with a referrer that somehow contained your credentials?
posted by zippy at 11:44 PM on April 12, 2011


It's always good idea to go through the Gmail security checklist.
posted by sergent at 12:05 AM on April 13, 2011


It's also a good idea to use a really strong password for your Gmail account. There's quite a lot of cracker-bot activity devoted to breaking Gmail passwords.

I no longer know my own Gmail, eBay, PayPal or banking passwords; I use KeePassX to remember them for me, and I've used its random password generation feature to make up some nice 16-character gibberish passwords. I've also set the password-recovery security question answers to 16-character gibberish, since any account is protected only as well as its weakest password. My KeePassX database travels with me on a USB stick along with portable Windows and Linux versions of KeePassX itself, and I've also backed it up on several computers to avoid password loss. Cracking my Gmail account would now have to happen from inside Google itself, which I see as fairly unlikely.
posted by flabdablet at 2:37 AM on April 13, 2011 [11 favorites]


flabdablet,

Whats the weakest link in your procedure? Is obtaining the USB stick the easiest way to get into your accounts?

Is the USB stick password protected?

Your method seems really secure...I'm *this* close to adopting it, as I'd rather not remember all my passwords. I would rather they be 16 random characters, than something I have to train myself to remember.

Are you lost without your USB stick? Do you have several of them? What would happen if you lost one or a few?
posted by hal_c_on at 2:47 AM on April 13, 2011


if you want to be safe, use google's new 2 factor authentication... it works well, you can also create 1 time passwords for your gmail account for each application that has access to it... and then remove them if you think it's gone amok. http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html
- Tim
posted by fozzie33 at 4:31 AM on April 13, 2011 [2 favorites]


I'm pretty happy with the 2 factor authentication... except when I forget my &%$#^*! cell phone at home.
posted by Jahaza at 6:28 AM on April 13, 2011


Does microsoft still run an ISP division ?
posted by k5.user at 6:56 AM on April 13, 2011


I know that you can pop your Hotmail e-mails into your Gmail account. Could something reverse be happening but with Messenger/
posted by monkeymadness at 6:57 AM on April 13, 2011


hal_c_on,

The passwords.kdb file where KeePassX keeps my passwords is AES-encrypted. Were I to lose my USB stick, any black hat who acquired it would need to brute-force a 14 character randomly generated master password that I *do* remember (because it's the only one I need to).

One character of gibberish has a little over 6 bits of entropy, so a 14 character randomly generated password is roughly equivalent to an 85-bit key. At 400 million tries per second (which I've seen claimed as an achievable rate using a GPU-based cracker), scanning an 85-bit search space takes about 3 billion years. So I ought to have enough time to visit all the services whose passwords I keep in KeePassX and change the passwords I use on them.
posted by flabdablet at 7:29 AM on April 13, 2011


And if my USB stick goes bad, I can just restore it from backup.

With hard disk storage now costing under 10c/GB, surely nobody would keep just one copy of anything important?
posted by flabdablet at 7:34 AM on April 13, 2011


flabdablet: I no longer know my own Gmail, eBay, PayPal or banking passwords; I use KeePassX to remember them for me, ...

I also do this, but I have it ftp to a central location so that I can just leave it on the protected FTP site and download the kdbx file when I need it, from the various computers that I use it on.
posted by Monkey0nCrack at 8:08 AM on April 13, 2011


If you trust a third party, LastPass does the same as KeePassX but stores your (encrypted) data on their servers so you can get at it anywhere you have internet. I use it and it works great.
posted by katrielalex at 9:06 AM on April 13, 2011


I've gone through the Google security checklist, had a strong password, etc. I hoped to find out it was an app or a web service connecting to my account, but at this point I think the IP address might have been spoofed.

I've used 1Password (similar to LastPass or KeePassX) but I stopped using it when I upgraded my browsers. I'll check your suggestions out, maybe I'll like one of them more than 1Password.

Fortunately I didn't have any sensitive information in my account, so I hope this is the end of it.

Thanks everybody.
posted by clearlydemon at 2:31 PM on April 13, 2011


Got no particular issue with trusting a password service provider provided they use decent encryption, but given that I need my USB stick anyway to establish my secure tunnel for out-and-about browsing and to launch my portable browser from, it's just easier to keep the password database on the stick as well.

If I did want to make my passwords available online, I'd just stick my .kdb file in my personal web space; it's well under 10kB.
posted by flabdablet at 5:53 PM on April 13, 2011


I've had good results with keeping my KeyPassX .kdb synched between computers via DropBox.
posted by armoir from antproof case at 10:02 PM on April 13, 2011


« Older How does one go about learning...   |  I'm being kicked off my parent... Newer »
This thread is closed to new comments.