Saturday, September 04, 2010

My Google (gmail) account is hacked - by ductus.com

9/20/10: I've updated this post to fix some errors. For example, I originally misread whois and thought tucows owned the hacked domain, they are the registrar. My longer term evaluation and responses are in a separate post.

My Gmail/Google account has a robust password. So this notice surprised me:

It showed up when I connected to Gmail. I was told my account had been accessed from an atypical location 1 day ago. The next thing I saw was that it was accessed from ductus.com (WA, IP 63.83.70.14), a domain that belonged to a software company in the 1990s. [1]

I followed the advice and changed my password. I looked into my Google store account but didn't see any new transactions or sent email.

After my password change things got a little odd. My new password wasn't recognized. I had to do a password reset (fortunately I'd followed Google's password reset advice). That worked, but it's like going to the reserve parachute. It's a very bad thing. Not to mention that I now need to change my stored Gmail/Google password in about 30 places.

Clearly something bad is going down.

The best answer is that this is a false alarm. That's bad enough.

The less best option is that either my Google password has leaked or Google has a global security issue. A dictionary attack wouldn't work on my prior password; I don't change my Google password very often (like most security professionals), but it's a robust non-word five letter four number sequence. (Now, of course, every string in my 58,000 + emails is potentially part of a dictionary attack. I will eventually need to change every password I and my family use.)

Assuming my Google password leaked, how did that happen?

I don't store my Google password with online services, but I can't rule out a leak from an old forgotten online account or a wifi intercept. I very rarely log-in on public sites, but I do log-in from work. My employer could certainly be logging my keystrokes, but it is very unlikely that my large corporate employer would take the risk of hacking my Google account via an abandoned domain (though HP did do something like that to its board members). On the other hand, we do get virus infections every few months, and I don't think we catch them all.

I do store my Google pw in several iPhone apps. Any of those could steal that password but they are all pretty high profile apps.

For now I'm redoing all my passwords everywhere. This will take weeks, but I'll start with the highest security sites. I discuss the implications and possible attacker profile in a later post.


footnotes

[1] Ductus was a company in 1998:  "Ductus, Inc. is a Mountain View, California-based company that develops and markets 2D graphics software and hardware http://www.ductus.com". So this domain was abandoned.

See also:
Update: If Google doesn't limit the number of login attempts, then my old password would be vulnerable simply because it was only 10 characters. That will fall to a brute force attack. Interestingly I can't locate any documentation on this. From my own testing I think the first time you access Google from a new location you have to enter a CAPTCHA as well as a password. If the password fails you keep getting a CAPTCHA.

Update 9/14/10 - useful links

4 comments:

Ken Schafer - Tucows said...

Hey Gordon,

Sorry to hear about your password problem.

I just wanted to clarify though that Tucows is the registrar for the domain and so it's not accurate to called it a "Tucows Domain". It's kind of like me saying "Verizon prank called me" because that's who the prankster uses for phone service.

In any case, changing the password was probably a good idea just to be safe.

All the best.

Ken.

Ken Schafer - Tucows said...

Sorry, I should have said "John".

John Gordon said...

Sorry Ken, I updated my post and revised the title.

Greekgeek said...

Was there always this much hacking, or has it really picked up this year?

I got mine hacked Thusday by the "My Plight" Gmail hackers.

I only log in from home, on a Mac laptop with an encrypted wifi network. Alphanumeric passwords.

I'm not a techie -- or haven't been since the Apple IIgs came out -- ;) -- but still, I'm pretty careful, and this is my first hacker that got me in 20+ years on the net(s).

I was really shocked to see how many reports of gmail hacking are all over Twitter and the web when I was looking for information on how to recover my account. The Facebook hacking didn't surprise me; their security seems to be lousy. But Google?