My Gmail/Google account has a robust password. So this notice surprised me:
It showed up when I connected to Gmail. I was told my account had been accessed from an atypical location 1 day ago. The next thing I saw was that it was accessed from ductus.com (WA, IP 63.83.70.14), a domain that belonged to a software company in the 1990s. [1]
I followed the advice and changed my password. I looked into my Google store account but didn't see any new transactions or sent email.
After my password change things got a little odd. My new password wasn't recognized. I had to do a password reset (fortunately I'd followed Google's password reset advice). That worked, but it's like going to the reserve parachute. It's a very bad thing. Not to mention that I now need to change my stored Gmail/Google password in about 30 places.
Clearly something bad is going down.
The best answer is that this is a false alarm. That's bad enough.
The less best option is that either my Google password has leaked or Google has a global security issue. A dictionary attack wouldn't work on my prior password; I don't change my Google password very often (like most security professionals), but it's a robust non-word five letter four number sequence. (Now, of course, every string in my 58,000 + emails is potentially part of a dictionary attack. I will eventually need to change every password I and my family use.)
Assuming my Google password leaked, how did that happen?
I don't store my Google password with online services, but I can't rule out a leak from an old forgotten online account or a wifi intercept. I very rarely log-in on public sites, but I do log-in from work. My employer could certainly be logging my keystrokes, but it is very unlikely that my large corporate employer would take the risk of hacking my Google account via an abandoned domain (though HP did do something like that to its board members). On the other hand, we do get virus infections every few months, and I don't think we catch them all.
I do store my Google pw in several iPhone apps. Any of those could steal that password but they are all pretty high profile apps.
For now I'm redoing all my passwords everywhere. This will take weeks, but I'll start with the highest security sites. I discuss the implications and possible attacker profile in a later post.
footnotes
[1] Ductus was a company in 1998: "Ductus, Inc. is a Mountain View, California-based company that develops and markets 2D graphics software and hardware http://www.ductus.com". So this domain was abandoned.
See also:
I followed the advice and changed my password. I looked into my Google store account but didn't see any new transactions or sent email.
After my password change things got a little odd. My new password wasn't recognized. I had to do a password reset (fortunately I'd followed Google's password reset advice). That worked, but it's like going to the reserve parachute. It's a very bad thing. Not to mention that I now need to change my stored Gmail/Google password in about 30 places.
Clearly something bad is going down.
The best answer is that this is a false alarm. That's bad enough.
The less best option is that either my Google password has leaked or Google has a global security issue. A dictionary attack wouldn't work on my prior password; I don't change my Google password very often (like most security professionals), but it's a robust non-word five letter four number sequence. (Now, of course, every string in my 58,000 + emails is potentially part of a dictionary attack. I will eventually need to change every password I and my family use.)
Assuming my Google password leaked, how did that happen?
I don't store my Google password with online services, but I can't rule out a leak from an old forgotten online account or a wifi intercept. I very rarely log-in on public sites, but I do log-in from work. My employer could certainly be logging my keystrokes, but it is very unlikely that my large corporate employer would take the risk of hacking my Google account via an abandoned domain (though HP did do something like that to its board members). On the other hand, we do get virus infections every few months, and I don't think we catch them all.
I do store my Google pw in several iPhone apps. Any of those could steal that password but they are all pretty high profile apps.
For now I'm redoing all my passwords everywhere. This will take weeks, but I'll start with the highest security sites. I discuss the implications and possible attacker profile in a later post.
footnotes
[1] Ductus was a company in 1998: "Ductus, Inc. is a Mountain View, California-based company that develops and markets 2D graphics software and hardware http://www.ductus.com". So this domain was abandoned.
See also:
- Facebook and Google introduce two factor authentication (10/13/10)
- Gordon's Tech: Google hack lessons - where the geek risks are (9/15/10)
- Gordon's Notes: After the Google Hack: Life in the transparent society
- Strong Passwords | Microsoft Security
- Password Checker: Using Strong Passwords | Microsoft Security
- Password Assistant | codepoetry
- Building Strong and Memorable Passwords (Part 4 of 4) - Corvus Consulting (uses OS X Password Assistant)
Update: If Google doesn't limit the number of login attempts, then my old password would be vulnerable simply because it was only 10 characters. That will fall to a brute force attack. Interestingly I can't locate any documentation on this. From my own testing I think the first time you access Google from a new location you have to enter a CAPTCHA as well as a password. If the password fails you keep getting a CAPTCHA.
Update 9/14/10 - useful links
Update 9/14/10 - useful links
- WARNING: Google’s Gmail security failure leaves my business sabotaged
- Lessons Learned from a Hacked Google Account
- Gmail and Google Apps Account Hacked But Restored Soon After (2009 -- all the things you may need to know to prove ownership of a hacked account.) Advice to check POP and other settings.
- My account has been compromised - Gmail Help
- Interesting Google employee discussions on forum - and hundreds of anguished responses. Read this to realize how big the problem is.
Hey Gordon,
ReplyDeleteSorry to hear about your password problem.
I just wanted to clarify though that Tucows is the registrar for the domain and so it's not accurate to called it a "Tucows Domain". It's kind of like me saying "Verizon prank called me" because that's who the prankster uses for phone service.
In any case, changing the password was probably a good idea just to be safe.
All the best.
Ken.
Sorry, I should have said "John".
ReplyDeleteSorry Ken, I updated my post and revised the title.
ReplyDeleteWas there always this much hacking, or has it really picked up this year?
ReplyDeleteI got mine hacked Thusday by the "My Plight" Gmail hackers.
I only log in from home, on a Mac laptop with an encrypted wifi network. Alphanumeric passwords.
I'm not a techie -- or haven't been since the Apple IIgs came out -- ;) -- but still, I'm pretty careful, and this is my first hacker that got me in 20+ years on the net(s).
I was really shocked to see how many reports of gmail hacking are all over Twitter and the web when I was looking for information on how to recover my account. The Facebook hacking didn't surprise me; their security seems to be lousy. But Google?