Google sign-in alert question
December 26, 2016 11:36 PM   Subscribe

An email alert was sent to me a few days ago saying: Your Google Account was just used to sign in on Linux.

The details were:

Sat. Dec. 24
10:33 AM (GMT)
London, UK

At the time I was on a Cross Country train , neither to or from London.

I tried did try connecting to the train wi-fi around this time though. I have changed my password, but there are a lot of devices that are synced with this account and I'd like to undo the password change if I can. This account is not used for important info, but I obviously don't want to share it with persons unknown.

(My account has apparently not been pwned)
posted by Kiwi to Computers & Internet (11 answers total)
Is the email actually a spoofed email? Look at the headers and see if the Reply-To, or From: address looks similar, but not really, a Google address.
posted by alex_skazat at 11:39 PM on December 26, 2016

Response by poster: Sender is, and all links go to a google domain.
posted by Kiwi at 11:43 PM on December 26, 2016

Do you use a Linux OS? I have had these emails be wrong about the location, but not about the OS. I also only get them after cleaning my computer. If you used your regular device and don't typically receive these notifications from Google, I wouldn't change it back.

Bottom line is you need to keep it changed. Maybe turn on two-factor authentication for peace of mind.
posted by Trifling at 12:19 AM on December 27, 2016

Best answer: Check on the Google Account security page for the list of recent devices and activities. You can also get more granular information on recent email logins by clicking the "Details" link at the bottom of the main GMail window, including IP addresses of the clients that logged in. From experience, train wifi has some kind of proxy to block problematic content and high-bandwidth usage (as well as handling payment) and that's the case with CrossCountry (see section 4).

Anyway, this discussion suggests that the standard setup is a bunch of access points that route everything via VPN over the mobile phone networks to a central server (for instance, in London) for authentication and content filtering. That arrangement makes sense to me, and having that central server run Linux also makes sense. However, it's odd to see a secure connection like a GMail login recorded as "Linux" unless Google is using something other than a user-agent header to identify the source. (If it was a port 993 IMAP connection to a phone mail client that was proxied on, that would be more likely. But if you're not using a SSL connection in your device mail client, you really should, and your password may have been proxied in the clear.)
posted by holgate at 12:25 AM on December 27, 2016 [3 favorites]

If you google "google sign-in from linux" you will find other people experiencing the same thing. Might be worth having a read to see whether you can work out the source of it in your case.

However, it's odd to see a secure connection like a GMail login recorded as "Linux" unless Google is using something other than a user-agent header to identify the source.

It recognises that my MacBook is a Mac and that my phone is an Android, so it doesn't seem too unusual to me that it would recognise that a device is running Linux.
posted by kinddieserzeit at 1:52 AM on December 27, 2016 [1 favorite]

If you care at all about your account security, turn on two factor auth.
posted by LoveHam at 4:42 AM on December 27, 2016 [5 favorites]

When had you last changed your Google login?

I ask this because I've seen it postulated that Google (as well as others) send scare emails like this to push you into changing your login credentials more regularly. Most people would ignore a polite "It's been awhile, and we think you should change your password" email, whereas "There was an unauthorized attempt to get to your stuff" emails get a response.
posted by Thorzdad at 6:05 AM on December 27, 2016

Best answer: I use linux in addition to other systems and when I login to my gmail from it, I get such a message. The problem is whether the message you got refers to something you actually did, or whether (assuming it's really from google) someone else used your account. Is the time google said you logged in a time you logged in? If not, change your password immediately.
posted by Obscure Reference at 8:03 AM on December 27, 2016

Response by poster: Thanks for the suggestions, everyone.

The account is synced with the native calendar app on my phone, so I'm guessing the phone signed in to google automatically.

The ip address is 82.132.228.*** (I don't know if giving the whole address is problematic)
posted by Kiwi at 11:15 PM on December 29, 2016

That's a range under the control of O2. (This giffgaff thread brings up a similar situation, and speculates on proxying, but doesn't offer an answer.)
posted by holgate at 10:52 AM on December 30, 2016

Response by poster: I'm on giffgaff! Perhaps it was some roaming data related thing then.
posted by Kiwi at 2:03 PM on December 30, 2016

« Older What are things I should be looking for after a...   |   How to get over what I may or may not have done to... Newer »
This thread is closed to new comments.