

Hacked Gmail Account - madewulf
http://www.multitasked.net/2011/jun/27/hacked-gmail-google-account/

======
Matt_Cutts
The key part of the blog post for me is this: "To mitigate the risk, Google
recently launched two-factor authentication, a mechanism that requires you to
input, on top of your password, a code generated by an application installed
on your phone (iPhone, Android and maybe some others). I have activated this
today."

Anyone savvy enough to hang out on HN probably has a fair amount of valuable
info in their Gmail account (domain registration info, passwords/access to
shopping sites, etc.) and should activate two-factor authentication:
[http://googleblog.blogspot.com/2011/02/advanced-sign-in-
secu...](http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-
your.html)

Is it a little more hassle? A bit. But when someone else tries to log in from
a new IP address in the Ivory Coast, or China, or wherever--they'll be
prompted for a PIN and won't be able to log in.

I activated two-factor authentication as soon as I could on my Gmail. I think
everyone reading this comment should too.

~~~
kelnos
I would _really_ like to activate two-factor auth for my GMail account, but I
just don't trust my phone that much. The battery life is terrible, and I'd be
afraid of losing access to my account if the phone breaks. Or what happens if
I lose my phone? Or if someone steals it?

Presumably there's a way to handle that case, but it still bothers me. On the
plus side, I'm using a Google Apps account with a domain I control, so I could
quickly switch to a backup mail provider, but it's of course a huge hassle,
and I keep a lot of email in my GMail account.

How do you deal with these kinds of issues? I really do want to use two-factor
auth, but this stuff scares me about as much as the possibility of getting
hacked.

~~~
sweis
Note that besides sending codes via SMS, Google's two-factor authentication
also supports time-based one-time passcodes (TOTP) that can be generated from
a mobile device. They also support a list of one-time printable codes. I kept
a couple of copies of these in my wallet and at home.

TOTP is an open standard and the mobile app is open source:

<http://tools.ietf.org/html/draft-mraihi-totp-timebased-03>

<http://code.google.com/p/google-authenticator/>

(Disclaimer: I worked on this.)

~~~
jerrya
Looking at your links and the authenticator, is it the case that any third
party web app can use the google authenticator "merely" by providing a key and
account name?

Is anyone doing that?

I really like using the authenticator on my phone and would love to see other
web applications support it.

But I am curious, why isn't the authenticator itself password protected?

Also, fyi, while I understand _how_ to use application specific passwords, I
have no good understanding of what they do, how they work, why they are safe
or why I only have to enter them once. So they are confusing to me.

~~~
ElliotH
Application Specific passwords are designed to solve the case where an
application requires you to enter your Google username and password rather
than passing you to Google themselves to do the authentication.

The obvious risk of this model is what happens if an untrusted client steals
that password.

Since you haven't given it your actual Google password It can still access
your data, but it can't change your password (you have to enter your main
Google password to do that) or change other critical settings, and if the
application is misbehaving all you have to do is click revoke, and its gone.

You only have to enter them once because most clients nowadays provide a
'Remember my Password' functionality. Google assumes you will use this, so
only need to enter your password once. If the password is forgotten you just
generate a new one.

~~~
jerrya
Thanks for the explanation, and sorry, I still am lacking a good model for
what is going on.

 _You only have to enter them once because most clients nowadays provide a
'Remember my Password' functionality. Google assumes you will use this, so
only need to enter your password once_

Is this really true? Because the documentation for the one time auth doesn't
indicate anything like that.

So I am confused as to what is happening in the background on Google's side.

My pseudo-model is that their password acceptance library looks for a
correctly identified two factor authentication OR a one time password out of
the user's one time password table.

But then I don't understand why these one time auths are one time! If someone
finds my phone, or accesses one of my other net accounts that was authorized
by my one time auth, they completely win until I can get back to google's page
to revoke them.

And related, I don't understand why the authenticator can't generate these one
time passwords -- MANY TIMES THAT WOULD BE A LOT MORE CONVENIENT than having
to go to the specific page on the web.

And also related: why is there no pin or password for the authenticator?

These are just questions I have -- I'd love to read a page or two that
discusses these issues -- I think having a good model of how and why it works
as it does would help me secure my data.

~~~
modeless
The reasons why the authenticator cannot generate Application Specific
passwords and why it does not need a PIN lock are the same: the entire point
of 2-factor authentication is that the authenticator by itself is _not enough_
to gain access to your account. You must separately provide both a code from
the authenticator _and_ your real password every time you log in.

There's no such thing as a "one time password". There are "Application
Specific passwords" which work exactly like your regular password except that
they limit access to critical account settings and can be created/disabled at
will. If someone obtains one of your Application Specific passwords then they
can use it to log in and access your data until you revoke that password but
they cannot change your real password and deny you access to your own account.

~~~
jerrya
_"If someone obtains one of your Application Specific passwords then they can
use it to log in and access your data until you revoke that password but they
cannot change your real password and deny you access to your own account."_

Ah. I think this is the key I hadn't understood till now. Thank you.

------
raldi
What I'd like is one-factor for my typical "log in and check mail, write back
to a few people" use case, and two-factor or a second password that kicks in
when I (or a bad guy) tries to:

* Log in from a computer that's never used this account before

* Set up a forward

* Make a mass mailing

* Change the password

* Do extensive searching or searching for suspicious terms ("password", "credit card", etc)

* Export a large amount of mail

...and other such things. That way, I don't have to be inconvenienced by
constantly having to use the second factor, but would still survive a stolen
laptop, keylogged passord, or sniffed cookie with a contained amount of
damage.

~~~
plasma
Agreed; I got half way through setting up Google's 2 factor but then was told
I had to use it for every login, instead of say when I was logging in from a
different IP or doing some big change.

~~~
dlokshin
You don't actually have to use it on every login. There's an option to
remember a computer for 30 days. I have this option ticked in a single browser
on my main laptop, and I input the verification key for everything else. Not a
pain at all and definitely worth the added security.

~~~
ern
If you use more than one browser per machine, you need to reauthenticate for
each one, which multiplies the inconvenience. Also the need to generate
passwords for apps that don't use 2 factor authentication (IMAP, IM clients).

Although, I still think it's worth the added effort.

~~~
rufibarbatus
If you feel your machine is well-secured and your passwords are properly
encrypted, you might want to set up a device-specific password for yout
machine, with limited access somewhat as suggested in the top post. Then
you'll only need two factors to access your account settings.

The downside, like I pointed out in another comment [1], is that even with
(hypothetical) read-only access to your email account, a malicious party could
arguably steal your accounts elsewhere on the net — that being the main reason
why you'd want to have 2-factor authentication whenever possible.

But the trading the 2-factor auth for Google's disposable, device-specific
passwords is not at all unreasonable.

[1] <http://news.ycombinator.com/item?id=2699867>

------
yaakov34
I don't understand why so few comments mention that the "last chance form" is
a huge security hole. It seems like most of the information for filling it can
be seen by someone over my shoulder as I use Gmail. And it's apparently
completely automated and can be tried multiple times. I use a strong
passphrase and two-factor authentication for a reason, and this defeats it. I
already disable the "secret questions", since I don't want cracking the
account to be much easier than cracking the passphrase.

I would like Google to give me an option to disable the "last chance form" for
my account. Or, if they inisist, I'd like the "last chance" to be to fly to
Mountain View and show Google my passport or a court order.

EDIT: and for extra bogusness, it seems that the information needed for the
"last chance form" can't be changed if it's compromised. I mean, I can change
my passphrase if I suspect it leaked, but how do I change the date when I
started using Gmail? Sounds like the best thing to do the moment a Google
account is compromised is to close it.

~~~
Tichy
Except you can't close it anymore.

~~~
yaakov34
I meant closing it after going through the "last chance" form. Although it
wouldn't surprise me if someone could go through it again and reopen it. Also,
if you left a computer with a Google login where someone could access it (not
smart, but people can slip up), then I guess the paranoid/high security thing
to do would be to close the account, since there is no way to know when the
gathered information would be used to access it. Changing the password would
be worthless.

------
hzay
I went through this two years ago. My ex was hacking into my accounts.

\- He used the 'last chance form' to get into my gmail by entering the
password I'd given him a year before this (I'd changed the password twice
after giving him that password)

\- He ran a dictionary attack on my college email which didn't have captcha's,
then hacked gmail using the password that worked for my college email

\- We were using shared vnc in college, he found his way to my firefox through
a mutual friend, installed a plugin that sent him all POST data and got into
my gmail again

I created a new gmail account after each incident. I had to abandon each gmail
account once it was cracked because of the 'last chance form'. Back then, you
only had to give it one or two correct past passwords, and it gave you access.
On hindsight, I've been remarkably dense, but it was a good, early lesson.

~~~
pavel_lishin
Sorry to focus on this (this is Hacker News after all), but did he write his
own Firefox extension for this? Or is there one available?

~~~
hzay
He told me he wrote his own.

~~~
pavel_lishin
To return from nerd mode, did you consider at some point relating your story
to an uncle, and then explaining the concept of "rubber hose cryptanalysis,
and letting him connect a few dots?

~~~
hzay
:) No. I was playing a kind of zero-acknowledgement game, as a friend called
it.

------
llgrrl_
This is exactly why I'm using two-factor authentication for gmail (heck, I
even ported the two factor auth code generator to my watch so I don't have to
panic when my android phone runs out of battery -
<http://tnhh.net/pancake/chronos-otp.xml> :-)

However, I don't use Gmail for 'everything,' it's just too dangerous and I
feel doing that way Google knows more about me than they should. I think
everyone should be hosting the main email address under something that they
can sure control (your work/edu account, or a paid email service). My main
account is hosted on fastmail (I paid something like 12 bucks for three years)
and is cloaked under a dozen of other email addresses.

Plus, for fastmail you get a free smtp account, and a standard IMAP account
(gmail's IMAP is weird). And they will respond if you're in troubles.

~~~
pavel_lishin
So, at this point, doesn't Fastmail know more about you than they should?

~~~
ams6110
Well Fastmail is in the business of providing an email service. Google is in
the business of targeting advertising to you based on what they know about
you.

Fastmail was recently acquired by Opera. I don't know if that changes
anything.

------
sorbus
> most distressing to me is that I am still unable to explain how those guys
> were able to get access to the account twice after I changed the password,
> security questions and backup email address from my Mac that does not seem
> to be compromised.

It sounds very much like the hackers were also using the "last chance form."
Consider that all of the information it requests is available through Gmail -
account registration data, names of tags, most emailed people, and
verification code (which was apparently emailed to him, and therefor present
in the compromised email account) (Note: I haven't used the form myself, I'm
going on the information in the article).

Also, the title is a bit link-baitish.

~~~
saool
I think the windows xp box he says he had his wife turn off had a trojan in
it.

~~~
sorbus
That doesn't make sense. He changed the passwords, as well as using Gmail's
ability to end all other sessions. Unless he was giving his SO (he never calls
her his wife) the password and she was logging in on that computer, there
should have been no way for a trojan on it to access the account.

~~~
yaakov34
They were probably using the "last chance" form to reset the password. That
form checks the IP address; if they had control of the XP machine, they could
have been using it to submit the form with a reasonable IP address and get the
account again. Once they lost that, no go. At least that's the only thing that
I can think of.

~~~
sorbus
Ah, that makes sense. I didn't realize that the form checks IP addresses,
though, in retrospect, that's an extremely obvious security feature to have.

------
51Cards
I haven't set up two-factor auth yet because I don't always have my phone
handy and my understanding of it is that on each log-in you need to use both
factors. My comments below are based on this understanding so forgive me if
I'm wrong.

What I would love is if instead it asked for both factors under these
circumstances:

\- option A - on every login like it is now.

\- option B - at least once every X days, with a warning that "within the next
three logins you'll need to use your second auth" so I will know when it's
coming without being locked out because my phone is dead.

\- in both of the above cases ALWAYS require two factor auth every time I
change the account settings (like password, recovery addresses, etc.) Possibly
even require it when I try to do things like purge a mailbox entirely or bulk
email all my contacts.

Having this blended option would make it a no brainer for me

Edit: Thanks all for the clarifications below. I am going to give it a try.

~~~
jackowayed
As for not always having your phone with you, you can print out one-time
passwords. So you print some out, put them in your wallet (and maybe more in
your home), and then if you don't have your phone/your phone breaks/whatever,
you can use one from that list. But then that one off of that list is dead.

Also, I'm pretty sure there's some option where it only does the 2nd factor
once a month if it's on a computer it recognizes.

~~~
jedc
Yes, when you enter in the second-factor digits you can tick a box to have it
"remember" you for 30 days on that specific machine.

------
muppetman
I read a story similar to this a few weeks ago. The guy recovered his account,
changed all passwords, but then it was snatched again. Rinse and repeat, I
think he got it back in the end though.

Very strange - he thought he'd been targetted specifically.

------
unshift
tl;dr: don't give your password to anybody. we've been saying this since the
mid-90s but people still seem to slip up.

gmail's two-factor auth is nice and easy with the handy iPhone app. of course
nobody wants to complicate something like sign-in, but email integrity is very
important. facebook also has a similar two-factor auth process (though not as
nice; they text you, vs a nice app).

two-factor is a no-brainer at this point for managing your identity,
especially given the huge volume of leaked passwords we've seen in the past
month. it only takes a few minutes to set up and almost completely eliminates
problems like the one in this article. if you haven't set it up yet, do it
now! much easier than learning the hard way.

~~~
kingkawn
FB has been requesting my phone number to complete the authentication backups
for a few weeks now, and the ability to opt out is not clearly marked. I have
the nagging feeling that this is much more about getting my cellphone into
their system.

~~~
vegardx
Or just the fact that they are overwhelmed by users requesting to get their
accounts back. A two-factor solution is the only solution to the problem with
password reusing that we've been fighting since passwords were first thought
of. People are dumb, you can tell them a gazillion time to never use the same
password on different sites/programs/whatever, they still do it.

Also, by providing it via text messages compared to an application they reach
out to a much broader audience. Not just tech-savvy people like you and me,
who probably already had a proper password policy.

------
josephcooney
A friend of mine got his domain stolen recently. He believes his gmail was
brute-forced through a known vulnerability/feature when POP is enabled
<http://seclists.org/fulldisclosure/2009/Jul/254> . He did a write up
<http://secretgeek.net/sg_hijack_1.asp> and here
<http://secretgeek.net/sg_hijack_2.asp> . As soon as this happened to him I
turned on 2-factor auth and it works very well.

------
KingOfB
This happened to my girlfriend and I had a similar freak out. After asking a
few more questions she remembered getting an email to enter her gmail password
to get more storage space.... She knows better, but just didn't think about it
- it seemed legitimate. Ask your friend more questions, I bet she fell for the
same scam. I've met 4 people now that fell for the same one.

I'm also very concerned about the no 'restore' option from gmail. What good
are google backups if you can't initiate them?

------
someone13
A friend of mine had a similar problem with her Hotmail account.

It had been hacked, but the recovery questions hadn't been changed (mainly, I
think, because Hotmail makes it incredibly difficult to even find the option
to do this). We reset her password, changed everything, and the account got
re-hacked within 30 minutes.

This happened three more times until, eventually, the recovery questions were
changed and we couldn't get access. I posted on the support forums, regained
access, changed EVERYTHING (this included checking for email forwarding rules,
and so on).

Now, through all this, I told my friend to not sign in to the account (or use
MSN) from any computer except mine, to ensure that it wasn't a keylogger or
Trojan that was causing this. My machine was running an up-to-date version of
Ubuntu, on my home network, using HTTPS. So I'm pretty sure it wasn't a
trojan.

Unlike Google, Hotmail requires a human to look over your problem, so after
the third time we had to wait for a day to get the account accessed, we just
gave up. I signed in, copied down as many contacts as I could, then deleted
all the incoming emails. We ended up having to abandon her Facebook account
too, as the hacker accessed that and was spamming her friends. Her Tumblr, and
a couple of other accounts were toast also. We almost her Facebook back, but
the hacker deactivated the account.

It was very frustrating trying to solve this, because I didn't know how the
account was being accessed! I opened a ticket asking the Hotmail support staff
to tell me how the password was being reset - not any more information, just
the method - and they came back with the standard "we won't reveal information
unless you have a search warrant or court order".

I love modern technology and all, but sometimes it's _REALLY_ frustrating.

------
madewulf
For the record, I don't think that Gmail security is bad, or worse than
something else. I just wanted to report my story, as I thought it would be
interesting. I am a bit overwhelmed by the reaction to this post, honestly.

------
eneveu
I've also activated two-factor authentication, and I don't think the drawback
he mentions are that problematic:

 _This indeed increases security, but tends to be a bit cumbersome (I often
have a depleted battery, for example, which could prevent access to my emails
from a computer) and does not solve other case (like somebody stealing my
laptop and using an already opened session)._

1) You can print a list of one-time passwords and store it inside your wallet.
If your phone's battery is depleted, you can use them to log in. You should
store another copy of this list in a safe place, just in case.

2) If somebody steals his laptop, he could always log from another computer
and disable his session and/or change his password. He should use a password-
protected login on his laptop anyway, with an encrypted drive.

------
spacemanaki
I bet signups for Gmail's 2-factor auth spikes when stories like this start
circulating. It's awesome that they provide it. I fear it might be too much to
ask for my mom, grandmother, etc, who are probably more vulnerable to being
attacked in the first place (weaker, duplicated passwords for sure).

------
jarin
My Gmail account recently was compromised due to the MtGox intrusion, as I had
completely gotten lax with my password security practices (I noticed because I
was no longer able to log in to my Google account). The worst thing about it
is I knew better. I had 4 different passwords that I would use for different
types of sites, and it just so happened that my MtGox and Gmail passwords were
the same.

Thanks to my backup email account and 1password's ability to search accounts
by password, I was able to restore access and change every account password I
had gotten lazy about, before any damage was done. Turn on 2-factor
authentication for my Gmail and Google Apps accounts, and now I can finally
feel secure with only 2 passwords I have to memorize (Gmail and 1Password).

------
chapel
One thing you should check for if your email was compromised is the pop3
forwarding and imap. Attackers will forward your emails to their own accounts
using either or both. This makes it very easy for them to retake your account.

~~~
ianterrell
Another note is to check your "Reply-to" email.

A friend of mine's Gmail account was compromised (say her email was
iluvkittens@gmail.com) and they had subtly changed it (perhaps to
iluvkitttens@gmail.com). Her oblivious contacts (including me) replied to her
"cry for help," but the messages went straight to the hacker's address. This
kept her contacts in conversation with the hacker even after she regained
control of her account.

------
jdhopeunique
It would be nice if Gmail and Facebook had two separate passwords: one for
everyday login and another for administrative functions such as changing
passwords, forwarding options, etc.

------
16s
For those of us who never travel outside the continental U.S. (or wherever),
it would be nice if Gmail had an option we could check that read, "Disallow
international (non U.S.) access to my account."

This would add a small measure of protection, though is not ideal as
compromised machines (or proxies) in the U.S. could still access the account.

------
jeggers5
I'd say this is happening _a lot_ more than we actually hear about. He also
raises a good point about how if you gained access to a lot of people's gmail
a/c, you'd also get access to a lot of other services they use via the
password reset form.

------
pavel_lishin
So, it seems that the XP machine was the source of intrusions - I'd like to
see a follow-up.

~~~
iwwr
What role did the separate XP machine play? After changing the password and
dropping all active sessions, what else is there to allow someone in?

~~~
pavel_lishin
I have no idea, but he mentioned that the e-mail account was accessed from it,
and once it was shut down, the intrusions stopped.

------
paulnelligan
Something i do quite regularly is google search each of my passwords, and I
would advise anyone to do the same.

I found several older passwords with my login up on a file-sharing website not
so long ago. Luckily I didn't suffer the same fate as the writer's wife.

Also, I believe that google should have 'paid support' in place for this type
of situation. No doubt it would be profitable for them, and would save many
people quite a lot of pain.

~~~
alexdias
Following your tip by curiosity, I googled one my old passwords, which was
leaked in the most recent Lulzsec release (in MD5 form).

And there it was, in cleartext, on the second page of the search results,
along with the username that I used on battlefield heroes beta.

It was on a pastebin with another 60k combinations of usernames and passwords.

The password was only 6 characters in size though (along with every other on
that pastebin), so I guess that made it a certainty that it would get cracked.

~~~
paulnelligan
How about the other combos, were they also all 6 characters in size?

------
bwooceli
There is another layer of protection you can put in place - Google Apps. For
many people, spending the $10/year on a private domain with the 10 account
limit would be more than sufficient. Allocate one of those accounts to a
strictly administrative role with 2 factor authentication. That way, you can
self-serve on things like emergency password resets etc.

------
S_A_P
So Im perplexed about how the gaming XP machine fits in here. I can understand
that maybe that machine was used to log into the gmail account once and the
auto login would have let the "hacker" in _once_. How then, if the user
changed the password and security questions, etc did this person access the
account 2 more times???

------
aj700
They should be asking for certain characters of your password now, to defeat
keyloggers. If you've got tons in the cloud, you need bank-level security. If
people can cope with it for banking, they can cope with it for gmail.

~~~
r00fus
I sure as hell hope they can't ask for certain positions/characters of my
password, as that would imply a non one-way function (ie, hash) applied to the
password stored on their servers.

LulzSec has proven why this might be very bad.

------
namank
I worry about this a fair bit. This is why I am in the process of cloaking my
gmail with a throwaway address (ping@namank.com)

And I just suggested gmail this:

\----- Gmail runs my life, as it does yours! Yes, I have an alternate email
but whoever has my password can change it and then I'm LOST! You need to make
this hackproof (yes yes, i know. but please, atleast TRY)

I suggest: -Have a backdoor password. There MUST be a 24-48 hour window
between changing the backdoor password and the main password.

-Must be a 24 to 48 hour window between a password change and alternate email change. \-----

------
paraschopra
Just enabled 'Two factor authentication'. Thanks for writing this. Made me
realize the loss I would incur if my account gets hacked.

------
riffraff
the "last chance form" (or "account recovery exam") really is a hard and
impossible to find thingy. Also, I frankly have no idea about when I started
using some services, and worst, no clue on how to find out.

------
RyanKearney
> Time now for some damage evaluation. I immediately saw that all contacts had
> been deleted (annoying but not too bad)

There's pretty much a one-click restore process now:
<http://i.imgur.com/1EYZ5.png>

~~~
Matt_Cutts
Please upvote Ryan's advice. Click on Contacts, then look for "More actions,"
then click "Restore contacts..."

You can find more info about restoring contacts at
[https://mail.google.com/support/bin/answer.py?answer=1069522...](https://mail.google.com/support/bin/answer.py?answer=1069522&hl=en)
or read the blog post from a few months ago at
[http://gmailblog.blogspot.com/2010/12/restore-your-
contacts....](http://gmailblog.blogspot.com/2010/12/restore-your-
contacts.html)

------
drivebyacct2
Not sure why any of these steps should lead you to fear about using Gmail.
Hosting your email yourself is almost surely more risky. Those hosting their
own email aren't going to have complex password recovery system with the abuse
protection that Google's has. There isn't going to be a warning system to
alert you that there have been sign-ons from foreign states/countries. There
isn't going to be two-auth out of the box unless you install the PAM module.

If your weak link, was, as usual, the human link... I would be inclined to
trust a system more catering to (forgive me) ignorant users.

I just worry that the mindset is, "I got hacked because I use Gmail, if I used
something else I'd be safer." and I find that logical to be pretty flawed.

~~~
pavel_lishin
> There isn't going to be a warning system to alert you that there have been
> sign-ons from foreign states/countries. There isn't going to be two-auth out
> of the box unless you install the PAM module.

Your points are valid, but why wouldn't these things exist? Doesn't code exist
to do this? And if not, is it truly difficult to write?

I'm not saying it's a trivial task, but someone who decides to host their own
e-mail would probably be willing to work at it.

~~~
there
<http://www.duosecurity.com/>

<https://github.com/duosecurity/duo_unix>

~~~
drivebyacct2
Just as a note, Google's "Google Authenticator" app for Android is open-
source, supports the open standard for OTOP, and has a free OSS lib for PAM.

------
leon_
> I was very glad that the "last chance form" did work twice

> That's when I lost the connection again...

hmmm ...

------
swaits
You get what you pay for.

