Gmail hacked - lots of spam sent - nothing in sent items
June 3, 2013 4:57 AM Subscribe
My Gmail account was very definitely hacked on Sunday.
A whole lot of email was sent, seemingly to everyone I've ever corresponded with from that account.
There was clearly a login from Poland which corresponds exactly with when the emails began to be sent.
The session seemed to last about 7 minutes.
I then received about 150 "mailer daemon" emails due to the bounces from either old addresses, addresses which don't receive unsolicited email and mail servers which correctly identified the content as spam.
What baffles me is
a) How my password was cracked or guessed. It was (now changed to 2-stage authentication) described as "not good" by a password strength checker but I had no idea Google would allow a bot or other tool to brute force its servers. Without giving too much away, I wouldn't have thought the password was in any human way guessable.
b) why there is no record of the sent items in Gmail's "sent items" folder OR in the bin
c) How he managed to do so much in so little time! Clearly automation of some sort but I would have thought Google would defend against this and the suspicious activity log reckoned, at least, that the rascal was using a browser (Firefox).
Thanks
What baffles me is
a) How my password was cracked or guessed. It was (now changed to 2-stage authentication) described as "not good" by a password strength checker but I had no idea Google would allow a bot or other tool to brute force its servers. Without giving too much away, I wouldn't have thought the password was in any human way guessable.
b) why there is no record of the sent items in Gmail's "sent items" folder OR in the bin
c) How he managed to do so much in so little time! Clearly automation of some sort but I would have thought Google would defend against this and the suspicious activity log reckoned, at least, that the rascal was using a browser (Firefox).
Thanks
It is extremely difficult to brute force a password on gmail, although not impossible (it might take a long time due to rate-limited attempts, but for all you know this happened for months). It is not possible to do many attempts in a very short period.
Did you use this password anywhere else? That would be another possibility.
You saw a suspicious login in the Google login history? Otherwise I would say its possible they simply used forged mail headers and didnt' actually hack your account, but that makes it less likely.
You can delete items from Sent and then again from Trash and they would not appear anywhere, so that part (b) is not strange.
If they can access your account they could use IMAP or another non-web-based way of doing mail that is normal to have lots of actions and would not seem suspicious (its normal for automated clients to access mail). The log just shows they logged in once with a browser (if that happened), not that all access was that way.
posted by wildcrdj at 5:08 AM on June 3, 2013
Did you use this password anywhere else? That would be another possibility.
You saw a suspicious login in the Google login history? Otherwise I would say its possible they simply used forged mail headers and didnt' actually hack your account, but that makes it less likely.
You can delete items from Sent and then again from Trash and they would not appear anywhere, so that part (b) is not strange.
If they can access your account they could use IMAP or another non-web-based way of doing mail that is normal to have lots of actions and would not seem suspicious (its normal for automated clients to access mail). The log just shows they logged in once with a browser (if that happened), not that all access was that way.
posted by wildcrdj at 5:08 AM on June 3, 2013
Check to see if they set up a forward for your emails.
posted by JohnnyGunn at 5:24 AM on June 3, 2013 [2 favorites]
posted by JohnnyGunn at 5:24 AM on June 3, 2013 [2 favorites]
Possibilities:
--same password used elsewhere, that site got hacked and login/pw files stolen, then tried om gmail and elsewhere.
--some kind of malware got into your machine.
Either way, change all passwords everywhere to something very different from the originals,and get your computer checked for malware.
posted by beagle at 6:03 AM on June 3, 2013
--same password used elsewhere, that site got hacked and login/pw files stolen, then tried om gmail and elsewhere.
--some kind of malware got into your machine.
Either way, change all passwords everywhere to something very different from the originals,and get your computer checked for malware.
posted by beagle at 6:03 AM on June 3, 2013
Something similar happened to my wife. Be sure to check that they didn't also change the Reply-To address. With my wife's account, they had changed it to a @yahoo.com, presumably to intercept any phishing replies.
posted by Tu13es at 6:08 AM on June 3, 2013
posted by Tu13es at 6:08 AM on June 3, 2013
I'm pretty sure that my Gmail password was obtained from another site which used the same password. Luckily, Google was kind / smart enough to notify me of a suspicious log on from another U.S. state. Immediately after that, I turned on 2-step verification. While its a bit of a pain in the ass - I had to get special passcodes for all my mobile apps that use google services and need to get passcodes via text message any time I log in from an untrusted device -- but the pain gives me a little piece of mind that my email records and drive documents are safe-ish.
posted by voiceofreason at 8:42 AM on June 3, 2013
posted by voiceofreason at 8:42 AM on June 3, 2013
Someone might've hacked your account, then again they might not. There's something called a Joe Job, which is a relatively simple way of cloaking the true sender of spam.
2-factor auth is a GOOD thing. So are complex passphrases and password safes. I'm a fan of LastPass, but can also recommend KeePass.
posted by endotoxin at 9:04 AM on June 3, 2013
2-factor auth is a GOOD thing. So are complex passphrases and password safes. I'm a fan of LastPass, but can also recommend KeePass.
posted by endotoxin at 9:04 AM on June 3, 2013
a) How my password was cracked or guessed. It was (now changed to 2-stage authentication) described as "not good" by a password strength checker
Could be spyware or some type. Make sure you run antivirus. Could be they hacked another server and you used the same password and listed that as your email. (always use different passwords for everything and use a password manager)
b) why there is no record of the sent items in Gmail's "sent items" folder OR in the bin
As other people said, they may have just got your contact list and then spammed them from another server, but
SPF records are supposed to prevent that from working (which could explain the 150 bounce messages - were many of them they for addresses that normally work).
The other possibility is that they just deleted them, then cleared the trash.
posted by delmoi at 10:12 AM on June 3, 2013
Could be spyware or some type. Make sure you run antivirus. Could be they hacked another server and you used the same password and listed that as your email. (always use different passwords for everything and use a password manager)
b) why there is no record of the sent items in Gmail's "sent items" folder OR in the bin
As other people said, they may have just got your contact list and then spammed them from another server, but
SPF records are supposed to prevent that from working (which could explain the 150 bounce messages - were many of them they for addresses that normally work).
The other possibility is that they just deleted them, then cleared the trash.
posted by delmoi at 10:12 AM on June 3, 2013
I had no idea Google would allow a bot or other tool to brute force its servers.
Just to speak to this piece, they might have run a brute force attack using multiple hacked computers. It's not necessarily possible to detect a distributed brute force attempt without screening out legitimate users, because a brute force attack works nearly as well if you try one password per account as if you try a ton of passwords for one account.
(Just to have fun with the math ...)
Let's assume, for example, that I have a list of 10,000 gmail addresses, and I know that their passwords each appear on a list of 10,000 most-common passwords. (This is not far from the truth.)
Now I want to get access to one account from the list. So I could set my computer to pick one account and try all 10,000 passwords. After 10,000 tries, I would have access to that account guaranteed -- probability 100%.
But Google would detect those 10,000 tries and block them, right? So let's say instead that I hack into 10,000 computers and run my attack from there. Each computer will randomly pick one of the 10,000 gmail addresses, and randomly try one of the 10,000 passwords -- totally undetectable as a brute force attack. What are my odds of success?
Turns out the odds of gaining access to at least one account are:
1 - [odds of guessing a wrong password] ^ [number of total attempts]
In this case that's 1 - .9999 ^ 10000, or about 63%. So running a distributed attack has only slowed me down a little bit. Every time I'm able to have my 10,000 hacked computers try another guess without attracting Google's attention, I have a 63% chance of picking up another account. I could alternate between a list of email providers to go even faster without detection ...
If you're right that your password is pretty far down the list of common gmail passwords, this might be less likely, because a distributed attack would focus on the most common passwords. But one thing we know from looking at password lists is that humans often guess wrong when trying to pick a password that no one else would pick for a particular site.
posted by jhc at 10:26 AM on June 3, 2013 [1 favorite]
Just to speak to this piece, they might have run a brute force attack using multiple hacked computers. It's not necessarily possible to detect a distributed brute force attempt without screening out legitimate users, because a brute force attack works nearly as well if you try one password per account as if you try a ton of passwords for one account.
(Just to have fun with the math ...)
Let's assume, for example, that I have a list of 10,000 gmail addresses, and I know that their passwords each appear on a list of 10,000 most-common passwords. (This is not far from the truth.)
Now I want to get access to one account from the list. So I could set my computer to pick one account and try all 10,000 passwords. After 10,000 tries, I would have access to that account guaranteed -- probability 100%.
But Google would detect those 10,000 tries and block them, right? So let's say instead that I hack into 10,000 computers and run my attack from there. Each computer will randomly pick one of the 10,000 gmail addresses, and randomly try one of the 10,000 passwords -- totally undetectable as a brute force attack. What are my odds of success?
Turns out the odds of gaining access to at least one account are:
1 - [odds of guessing a wrong password] ^ [number of total attempts]
In this case that's 1 - .9999 ^ 10000, or about 63%. So running a distributed attack has only slowed me down a little bit. Every time I'm able to have my 10,000 hacked computers try another guess without attracting Google's attention, I have a 63% chance of picking up another account. I could alternate between a list of email providers to go even faster without detection ...
If you're right that your password is pretty far down the list of common gmail passwords, this might be less likely, because a distributed attack would focus on the most common passwords. But one thing we know from looking at password lists is that humans often guess wrong when trying to pick a password that no one else would pick for a particular site.
posted by jhc at 10:26 AM on June 3, 2013 [1 favorite]
I had this happen to me a few years ago. As far as I can tell, I was logged in to this account and had a cookie set, which they stole when I visited a malicious link. Make sure to check your filters - aside from erasing everything, they set up filters for canned responses that replied to every email with racial epithets then sent all email straight to permanent deletion, completely bypassing the inbox. Fucking assholes. Luckily it was a spam account that had no value. This is why I specifically log out every time, no matter what.
I thought Google had a system in place to detect these sudden logins halfway 'round the world? I've had Google deny the log-in and send me notifications when trying to sign in from a network in CA, for $deity's sake (I'm normally in FL).
posted by dozo at 12:02 PM on June 3, 2013
I thought Google had a system in place to detect these sudden logins halfway 'round the world? I've had Google deny the log-in and send me notifications when trying to sign in from a network in CA, for $deity's sake (I'm normally in FL).
posted by dozo at 12:02 PM on June 3, 2013
They used a mail proram to send mail with your credentials, through gmail, but had "Keep a copy in Sent"off. Most email hackers are highly automated.
I don't know how gmail accounts get hacked, though jhc's description sounds accurate, but it's a huge pain. Use a secure password; longer passwords are not that hard to type, but are more secure. Set up the backup with your mobile phone. For important accounts like banks, gmail, credit cards, and sites you value, use unique, secure passwords.
I used the same password on NYTimes, Mefi, Gawker, etc, and when Gawker got hacked, my password was published. I got a lot more secure after that, but not on nytimes and other sites, because I don't pay for them, and they're low-value to me.
posted by theora55 at 12:24 PM on June 3, 2013
I don't know how gmail accounts get hacked, though jhc's description sounds accurate, but it's a huge pain. Use a secure password; longer passwords are not that hard to type, but are more secure. Set up the backup with your mobile phone. For important accounts like banks, gmail, credit cards, and sites you value, use unique, secure passwords.
I used the same password on NYTimes, Mefi, Gawker, etc, and when Gawker got hacked, my password was published. I got a lot more secure after that, but not on nytimes and other sites, because I don't pay for them, and they're low-value to me.
posted by theora55 at 12:24 PM on June 3, 2013
Mod note: Folks just answer the question please.
posted by jessamyn (staff) at 4:19 PM on June 3, 2013
posted by jessamyn (staff) at 4:19 PM on June 3, 2013
This thread is closed to new comments.
posted by empath at 5:07 AM on June 3, 2013 [3 favorites]