

ASK HN: How did they break in to my Gmail acct? - light3

So I woke up today, checked my email and there's this whole list of undelivered mails, apparently someone or something had broken into my gmail acct and sent the following msg to everyone on my contact list:<p>Hey，
how are you doing recently?
I would like to introduce you a very good company and its website is
www.ele-stores.com. It can offer you all kinds of electronic products
that you may be in need,such as laptops ,gps ,TV LCD,cell
phones,ps3,MP3/4,motorcycles and etc........
You can take some time to have a check ,there must be something
interesting you 'd like to  purchase .
The contact email: elestores@188.com.  MSN: ele-stores@hotmail.com<p>TEL:  0086+13717782599<p>Hope you can enjoy yourself in shopping from that company !<p>Regards<p>They also decided it was a good idea to put that msg into my signature as well as set my account to vacation mode with the same vacation msg.<p>Obviously this was a very brazen thing to do, and they clearly made no effort to cover it up, neither was my password changed. So I figure this is more likely an automated thing, I left my account logged in with a firefox 3 browser at work (university firewall) overnight, which is when this occured. So all signs point to some sort of an automated attack through the browser, does anybody know more about how this happened?
======
kqr2
Are you using <https://gmail.com> and/or have configured your account to
always use https? There are cookie based hacks.

<http://www.tgdaily.com/content/view/33207/108/>

~~~
light3
I see.. I wasn't using https before, I'll read more about this when I get back
home. Is this really common? Why does gmail not set https on by default

------
rarest
Hello I have just lost danish to this firm so I will WARN everybody to deal
with this firm becaurse is a humbug firm. My last mail from them: FORGET YOUR
MONEY AND YOUR LAPTOPS

WARNING WARNING WARNING WARNING

~~~
rarest
I mean danish kroner

~~~
rarest
SORRY ONE MORE TIME 6000,00 danish kroner.

------
yan
In Gmail, Settings > "Browser connection", set to "Always use https"

