
Mysterious Gmail account lockouts prompt hack fears - RachelF
https://www.theregister.co.uk/2017/02/24/gmail_hack_fears/
======
dstroot
I was forcibly logged out of my google acccount across all devices the same
day as the cloudflare news came out. I am not aware of google using cloudflare
but I assumed they were "protecting me" somehow and dutifully logged back in
across my five devices.

It's actually more alarming that google says it is unrelated.

~~~
op00to
Same. I immediately thought they were connected. My iCloud session was also
logged out on a few computers.

------
quinnftw
Call me naive, but I REALLY think people are overreacting on this. Yes, the
timing does seem quite coincidental given the Cloudflare bug, but Google has a
pretty good record of being transparent with these things.

On top of this, Google does not use Cloudflare and as far as I know there have
been no reports of accounts actually being comprised, only logged out. I would
wager whatever maintenance routine they were carrying out accidentally
invalided some user sessions.

------
ARothfusz
I suspect the lockouts happened when people tried to re-log back in and did
not know their passwords. According to
[https://support.google.com/accounts#topic=3382296](https://support.google.com/accounts#topic=3382296)
a banner on the Accounts help page says:

"During routine maintenance, a number of users were signed-out from their
Google accounts. If you were affected, please sign back in using your usual
username and password at
[https://accounts.google.com](https://accounts.google.com). If you can’t
remember your password or can’t sign in for another reason, recover your
account password here. For security reasons, our support agents are unable to
assist with password issues."

~~~
StavrosK
They didn't. My mom got it on her phone (for the Android session) and she
doesn't know how to log out.

------
blockoperation
The Google Cloud status page had a message about some 'long-lived' OAuth
tokens being invalidated on the same day that the mass logouts occurred. They
took it down quite quickly, and it doesn't appear in the incident history.

FWIW, I only use Gmail via browser (with the regular web-based sign-in, not
through Chrome/Chromium), and all of my sessions stayed intact.

~~~
mixedCase
This makes sense. Over here only Thunderbird got deauthed, everything else
(devices and apps) kept working fine.

------
bryanh
We manage many Google integrations and they had a large number of failed auth
tokens during the same window. I'm guessing it was related - but no details
have been shared yet.

------
anaxag0ras
This happened on my phone as well. Got a notification from Play Services that
something had changed in my account and I needed to log in again. My browser
session, however, remained intact.

------
Thriptic
This happened to me moments after visiting the paste bin containing one of the
Phineas Fisher after action write ups on my phone, so needless to say I was
initially pretty terrified.

I haven't seen any indications of new sign ins on my account, nor has my
friend who this also happened to.

------
xbmcuser
Google is denying and it could just be coincidental but I was logged out of
the only account that had a domain linked with cloudfare. And as I manage that
domain for my dad who asked me for a password reset as he was also logged out
and couldn't recall his password.

------
dbg31415
So... any update on this? I just had to sing in across all my devices. Started
Thursday, I had one of my work emails log me out and I thought it was odd...
today was my main Gmail account. All of my accounts have now been signed out
at some point in the last 4 days.

------
urza
Happened to me as well on android phone I had to enter password and code from
sms into form I have never seen before on my phone. Then on desktop I had to
login into my gmail again.

~~~
anaxag0ras
> Then on desktop I had to login into my gmail again.

What browser do you use on your desktop? I was logged out on my android device
as well, but on desktop, on Firefox browser, I wasn't. My friend, on the other
hand, who uses Chrome was logged out both on his desktop and his android
phone.

~~~
urza
Chrome

------
jldugger
Was this not simply part of the Cloudbleed remedy?

~~~
joshstrange
No, Google confirmed they weren't related
[https://bugs.chromium.org/p/project-
zero/issues/detail?id=11...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1139#c23)

------
macawfish
I was asked to sign in on my phone and was very suspicious!

------
uladzislau
My password didn't work and I had to reset it so I'm not sure if Google is
saying the whole truth here. The same timing as Clouflare leak - couldn't be a
coincidence.

------
mordant
No, Google does not use CloudFlare.

