Gmail account compomised but not sure how
December 29, 2011 11:39 AM   Subscribe

My Gmail account was compromised a few days ago and the password was changed. I've since recovered it, but I'm wondering what could have caused it.

The password is very strong. It's an email address that I have not myself logged into in 6+ months, and never on this new computer (a Mac). I have not sent an email from it in 4 years. The few messages it gets get sent to my other primary Gmail email address using Gmail's POP3. This email address has the same password. it was not compromised. No other account uses the same password.

Looking at the recent activity, the account was accessed once from a Poland IP, a spam email was unsuccessfully sent to my small list of contacts, and then never accessed again. I've Googled the phrase in the email and its been posted to mailing groups, so it looks like the work of a bot.

Obviously I am changing all of my passwords, but I'm wondering what could have happened here, and what I could have done wrong to cause this to happen. Why/how would a fairly inactive email address that's only ever accessed through Gmail's POP3 be the target of this?

Any insight would be appreciated. I'd rather put the blame on myself than on Google.
posted by alligatorman to Computers & Internet (12 answers total) 4 users marked this as a favorite
Have you accessed it using a public wifi node?
posted by Chocolate Pickle at 11:41 AM on December 29, 2011

Did you have an easy to guess secret question?

Turning on 2-factor will help prevent this in the future.
posted by primethyme at 11:44 AM on December 29, 2011

Chocolate Pickle - I used Public Wifi in an airport two days before, but I don't recall accessing my email, and even if I had, I would not have directly accessed the email address that was compromised.

Primethyme - I'm not exactly sure what my secret question was, but if it's one of the questions that I was asked in the p/w recovery form, then while it isn't easily guessed, it could have been found through brute force. I've always assumed Google would not allow brute force guessing of secret questions and passwords, not to mention the bot would first have to get passed the Captcha text.
posted by alligatorman at 11:59 AM on December 29, 2011

The password is very strong.

Humans are actually very bad at making this determination. Have you used a tool like this to test it? The same test should be run against your "secret question" answers.

As primethyme already mentioned, enabling two-factor authentication will stop these kinds of attacks cold.
posted by odinsdream at 12:05 PM on December 29, 2011 [4 favorites]

There's a good article in the Atlantic about how the wife of the author had her gmail hacked (including how they suspect it happened, and how to recover).
posted by melissasaurus at 12:07 PM on December 29, 2011

From what I understand the odds are overwhelming that you use the same or a similar password on a number of sites. Anyone wanting your information will ask you to register for something. Once they have your e-mail address and the password you're likely to use on your e-mail, it's a fairly straightforward way to break in.
posted by katiecat at 12:08 PM on December 29, 2011

Same thing happened to a close relative, and two unrelated friends, all on the morning of December 18th.

Passwords changed, and accounts used to send a single spam email for different websites (selling things like digital camera's etc). As far as we can tell, no other account settings changed.

Don't know what it was, but if it helps it narrow it down any, I don't think it was a compromised site, as my relative had changed their email password, about a week beforehand (not sure whether it was still an 'easy to guess password though'). Don't think it was compromised wireless, as other people in same house weren't hacked.

I think two out of three use windows computers (windows xp / unknown), but I'm unsure if the third person was compromised at work/home (mac) etc.

At least one of the three might be accidentally some malware toolbar or something, but the other two wouldn't. They're still not the geekiest people I know, however. I thought it was probably the security question, but relatives question was actually pretty obscure.

So basically, I ran a couple of antivirus packages (clean), updated chrome, and got them to change their passwords and security question.

Would really like to know it was though, so let me know if you get any leads.
posted by Elysum at 12:39 PM on December 29, 2011

You've swept for malware and spyware and not found anything?
posted by Lyn Never at 12:39 PM on December 29, 2011

My gmail was also hacked into around the same time, also from Poland. I think that rules out a password guess (especially given Elysum's replay), though I do use the same password in other places. It's starting to sound like it was a pretty hardcore hack, though for all that the spam message they sent out was pretty lame.
posted by hiteleven at 12:41 PM on December 29, 2011

*reply. Also, no public wi-fi for me, at least not any time around when it happened.
posted by hiteleven at 12:42 PM on December 29, 2011

I also had a similar situation - on Dec 20th, a little used gmail account got hacked and used to send a pdf (presumably virus-laden) to my (thankfully few in that addy) contacts. My password (at the time) got 73% on Odinsdream's checker. Did similarly, changed question and password all across my accounts. No idea how it went when my others were untouched. I assumed a lucky bot. Unfortunately, I'd been in to it a few times whne checking to see what the sitch was and other recent activity slid off the list, so I don't know if poland was involved.
posted by Sparx at 6:04 PM on December 29, 2011

> I've always assumed Google would not allow brute force guessing of secret questions and passwords

Gah! I thought so too, but here's a demo of a dictionary attack (against password) using IMAP. Secret question requires CAPTCHA as you mentioned.

I see a lot of claims that POP3 and IMAP don't have a failed-attempt limit, but here's a statement that they do. The claim is that after some number of failed attempts, they won't accept even the correct password. A brute forcer will blithely continue on through the dictionary thinking all attempts are the wrong password, even the correct one. It would be nice to see a more authoritative answer, though.
posted by morganw at 2:04 PM on January 1, 2012

« Older Should I get my MBA after I get my Bachelors of...   |   Possible legal issues for using a video game brand... Newer »
This thread is closed to new comments.