Hacker News new | past | comments | ask | show | jobs | submit login
Gmail – some users being signed out of their accounts unexpectedly (support.google.com)
342 points by uladzislau on Feb 24, 2017 | hide | past | web | favorite | 154 comments



Can confirm this happened to me this afternoon on my android. Went into a full panic mode. I refused to type passwords since I was worried it might have been another app imitating Google and I had no recollection of any action that would have required me to sign in again. I made sure that my password was correct on my laptop browser to ensure that I was not fallen for a account compromise. Eventually restarted the phone, ran lookout security app and then typed it on smartphone.


> I refused to type passwords since I was worried it might have been another app imitating Google and I had no recollection of any action that would have required me to sign in again

Same for me! So follow-up question, how do we know if an android app is the real deal? I opened the app switcher and it certainly said "Google Play Services" on top of the window asking for my password, and had the correct logo, but could other app present itself in the same way?


If you long press on the notification, a little info icon pops up and tapping that will take you to the App details page. That's an easy way to verify the package name and version. If it is a sketchy app and not Google Play Services, kill it with fire! (FWIW it was Google Play Services for me)


This is exactly what I was looking for, thanks!


I had the same issue. First I wanted to check whether the password I was using was still valid. So I verified/signed-in on another machine in an incognito mode. Once I had verified that the password was correct and still working. I then restarted android. After scanning using Lookout (honestly not really sure how good they are.). Rather than going through the "Google Play Services" notifications, I opened GMail app and checked if the past emails could be opened, after confirming that it was a legitimate app. I intentionally entered a completely incorrect password twice assuming that if it went away it was a really well crafted phishing attempt. Eventually I entered the password.


> I intentionally entered a completely incorrect password twice assuming that if it went away it was a really well crafted phishing attempt.

That's a clever trick, I'll remember it for next time something similar happens.

I had the same paranoia as several other people in this thread (don't enter password if you're prompted unexpected or without clear reason). I had the fortune only a "trash" gmail account got locked out, not my main one. So I verified on another machine, password was unchanged, checked if I really hadn't registered any other important accounts with that email, and just gave in after an hour or so, to make the notification go away.


Guess what happened to me on my iPhone today in the morning when I put it out of the airplane mode. Same thing I didn't enter my password for the above mentioned reasons


> how do we know if an android app is the real deal?

You don't.

Not that it really matters, if you care about security you shouldn't be using Android in the first place.


Don't let the perfect be the enemy of good. Or in other words, I try to adjust my opsec/persec to a realistic threat model, not to my worst dystopian nightmares.


I think the point is that, Android is not what we would consider "good" security.


This is not about dystopian nightmares, this is about an OS where it's exceptional to EVER get an update, let alone get it in time.

If you go out to a shop and buy 100 Android phones, at least 99 will be running outdated OS versions with known security issues and no updates available.


But why aren't these Android phones getting hacked left and right, everywhere? Any idea?

Where I am (the Netherlands), Android is way more popular than iOS--I'm not attaching value judgement to popularity or otherwise, nor am I particularly doubtful of your claim that the average (cheap) Android phone is running an outdated version.

But if that's the case then what is going on?

Are they not juicy targets for hackers? (tons of personal information, botnet possibilities, seems valuable to me)

Or are they in fact being hacked quietly and we're not hearing much about it? Is everyone's cheap phone already part of a botnet and nobody realizes?

Is it perhaps that the exploits require physical proximity that hackers don't deem worth the risk?


Looking at active Android clients your claim might be correct (although I assume it is not 99%), but if he actually went out and bought a new "premium" phone which I assume most here would do it is most likely updated.


Is there a smart phone OS, that's actually usable, that is any better?


iOS.

BB10 would have been even better but they pulled the plug on that one.


Is iOS really that much better than an updated stock Android? Even if you find differences, they are not as big as you make it sound.

Comparing stock iOS with some old unupdated cheap phone with bloated Android is not fair.


I can't say if it's much better, but iOS devices does have some security features most Android devices don't have :

- hardware Secure Enclave (as time of writing, only Samsung devices and latest Google Nexus also have a similar hardware, as far as I know)

- strong sandboxing (again, only Samsung devices with Knox can really compare)

- restrictions on which apps you can get, that filters on malicious apps (ex: fake gmail app). It is void if you use jailbroken iOS or allow sideloading on Android.

- security updates are both more frequent (except Google devices, all Android manufacturers always lag behind for updates), and available to older devices (varies from manufacturer to manufacturer, but it's generally way less than Apple)

Of course, you need to factor in the delay to respond to security flaws (I don't have that kind of data), and other factors too, as well as decide if iOS suits you. That's for you to decide.


> Is iOS really that much better than an updated stock Android?

No, but updated stock android phones are not really a thing, are they ?


Same, got notification about both my Google accounts and was terrified it was some new phishing trick. Reading about Cloudbleed did not help matters either. At least I got extra motivated to secure up all my accounts, so there is that.


shit, you just opened my eyes a bit. I woke up, saw 2 notifications about logging in again (got 2 accounts registered on my phone), and just typed the passwords in without second thought. Never occured to me that it could be a fishing attempt


Happened to me an hour or so ago. Notification on phone suggesting I log in again. I ignored it like I ignore everything that doesn't seem pressing. Then hangouts refused to send a message, which made me think the login suggestion was legitimate. Must say, like you, I probably ought to have scrutinised it a bit more..


Turn on 2-stage authentication and use Last Pass or a similar password manager.

I can't really fathom how someone would have gained access to my account with those steps in place (and honestly if they did, I wouldn't even be mad because it's so impressive)... so I immediately assumed that Google was having a log-in problem.


I was signed out several times today. And I couldn't attach pdf-files bigger than 200Kb from Chrome. Then I logged in on Firefox and it worked again.


If you fear phishing, type the wrong password and see if it takes it. If yes, it's obviously a phisher app/site/whatever.


I've noticed that Facebook sometimes refuses to let me in the first time even though the password is correct. I try the same password again and viola!


Interesting. Are you using a password manager? How are you confirming that you've entered the password correctly the first time?


Same with me.


Update from Google status page:

We're still actively working to resolve issues with Identity/Authentication. Future updates will follow when there is significant progress to report.

To summarize; some long-lived OAuth tokens have inadvertently been invalidated. This may affect the following Cloud services and will manifest as authentication errors:

Cloud APIs using OAuth tokens, and related services that use them

gcloud SDK

Cloud Storage gsutil

Cloud Dataflow

Note: not all customers are affected by this.

OAuth tokens may be recreated by running the following commands:

$ gcloud auth application-default login

$ gcloud auth login

https://status.cloud.google.com/


It's odd that the status pasted in the parent has disappeared from https://status.cloud.google.com/ , as the page seems to be designed to keep event history - but it's not in the history. I can still find it in Google's own cache, though - in the snapshot of the page as it appeared on Feb 24, 2017 11:19:38 GMT.


Actually ended up wiping my phone because this coincided with a weird set of text attachments I got from someone who didn't knowingly send them. At that point I wasn't sure that my phone wasn't being keylogged, so I wiped to be on the safe side.


As in InfoSec guy, I confirm you did the right thing. Better be safe than sorry!


The text attachments were probably some mail agent mime parts mismatch.


libstagefright for the win!


OT: they mention that they've "gotten reports about some users being signed out of their accounts unexpectedly". I'm wondering how they get any such reports since it's almost virtually impossible to contact anyone at Google.


It happened to google employees too (my guess).


Paying GSuite customers can report the issue via telephone, chat, or email: http://imgur.com/a/vcMa2


It took some time. I was logged out yesterday somewhere between 22 and 23h CET, went on Twitter to check if more people had the same problem (yes) and if anyone knew what was up (nothing), the tweet from Google confirming that something happened and it was not a security incident was after 6AM the next day.


I assume they monitor (in)successful auth attempts and noticed a spike aside from noticing issues internally.


We noticed this affecting tens of thousands of users on Zapier last night, causing us to wonder if we'd shipped a critical bug. Zaps using Google apps are still paused[0] while we wait it out.

[0] https://status.zapier.com/


Anecdotal, but I know of roughly two dozen users that are not using Zapier in any way that were also affected by this.


Got a pop up on my mobile. How to check the pop up was not impersonated by a different app?


On some versions of android if you long press on the popup it will show you which app it's from. This obviously doesn't work for not-android and older versions, though.


On Mac it is so easy to steal a password. In Javascript: var gmailPw=prompt("Facetime requires your password to login"); Macos asks it every week/month for one reason or another, people are conditioned.


My thoughts exactly. Just close the popup and open any Google app to verify that you cannot access the app without signing in again.


I had this issue too. I'm already on two-factor with Authenticator, so it wasn't a big deal. Since nothing had changed with my account, and the device history looked proper, I assumed it was a token expiration deal. Which is what it turns out to be. Good to know that was the problem.


The nicest thing about this affair is that Google Play Services kept popping out every few seconds asking me to enter the password while I was driving (using Waze).

Is it that whatever the issue that caused all this kept happening again and again every few seconds, or is it that once Google Play Services determines you have to login back, it intentionally nags you making your mobile hard to use?


No surprise that I've only heard about this by reading it on HN, despite the fact that I had this problem yesterday. I consider it an operational failure when customers are the first ones to identify issues, double fail when they are not proactively made aware of issues that WILL affect them.

Like others, I also had a moment of extreme panic where I thought something had been compromised, as it also seems to have coincided with an issue where Google Voice SMSes (2FA) were not going through.


Happened to my work account and my personal. Got a scary notification on my phone telling that "Something changed on my phone and I need to login again"


So Google does not know the reason but tells us to stay calm? I was and am creeped out majorly by this.


Better than telling you to panic, right?


Well even if there is no immediate danger, still it "proves" that Google has problems controlling its security and/or software engineering process.


I assumed this was a reset from Google due to the Cloudflare stuff, but seems like it wasn't?



Well, he said that it wasn't. But then refused to say more, and disabled comments.

Strange.


It's not strange at all?

Imagine you walked into a group of people, talking about one thing. You started talking about something completely random and different. They want to continue their conversation, you keep interjecting with questions about your random thing.

If they could, they'd probably turn you off so you couldn't talk, or go to another place to talk about it.

That's precisely what happened here.


I would imagine that was because the comments are intended for discussion about that particular issue, not for random users to jump in with wild conjecture on its impacts. Honestly not that strange.


he was nice enough to answer the off-topic question, and the person who asked decided not to believe him and continued to take the discussion further off topic. The only good way to handle that sort of thing is to lock the thread.


> But then refused to say more

What more is there to say?


A link to an announcement on the issue?


Not in a random unrelated bug that people hijacked to discuss a different problem, no.

I think there's nothing special about refusing to discuss stuff there and disabling comments.


That's true, if it is "a random unrelated bug".

I suspect that there will be many such reports in coming weeks. And lots of denial, and refusal to comment.


That would have been the best outcome. As it is, I'm left with concerns. Maybe it is related, but he's been instructed to not comment. Maybe it's a National Security Letter. Or whatever.

And yes, maybe he was just stressed out, and didn't want to be pestered with conspiracy theory ;)


I would be surprised if Gmail sent any tokens or credentials via Cloudflare


Third party sites where the Google account was used for authorization, could have transmittted data through Cloudflare. (Think "Log in with Google" button on millions of sites.)


Fear might be shared email/passwords since thats really common.


What's the fear? Aren't all passwords encrypted on the server side?


But if an in-transit plaintext password is leaked by CloudFlare, server-side encryption is irrelevant.

(... that said, it's not like revoking sessions would impede a password-holding adversary...)


It would for users that have 2FA enabled.


Perhaps they are worried about active oauth tokens having leaked?


That was my first thought. Maybe accounts with google credentials exposed in some way had a forced logout to invalidate exposed auth token?


Does Google use cloudflare? Don't they do everything themselves?


Yes. They integrate as a proxy for Google's cloud stuff.

https://blog.cloudflare.com/cloudflare-is-now-a-google-cloud...


Not quite. CloudFlare is available to users of Google Cloud, but Google services don't use CloudFlare.

The only exception I could imagine would be some service that was brought in as part of an acquisition but has not yet been migrated to Google's internal platform. Obviously not applicable to products like Gmail or other core G Suite apps.


Happened to me on mobile and work. And my @google account - we truly are dogfooding :-)


Is it connected to Cloudflare incident?


No. Just coincidental timing.

https://bugs.chromium.org/p/project-zero/issues/detail?id=11...

Gmail doesn't use cloudflare.


Title is misleading - I wouldn't say Gmail. It's disinformation. It's generic Google Account issue. I got logged out from my Android device suddenly. Logging in a few hours later worked out just well.


https://myactivity.google.com/myactivity

>10:44

>Visited Sign in using backup codes - Accounts Help

I don't recall signing in using backup codes..

Nothing odd appears in https://myaccount.google.com/notifications?pli%3D1


That's the page linked from this post, not an actual sign in


Related - OnHub & Google Wifi devices reset due to Google Accounts bug: https://productforums.google.com/forum/m/#!topic/googlewifi/...


A lot of people probably left with accounts created for their Android phones and no idea what their password is.


Happened to me too, pain to log back in on google play (not allowed to paste password in)

It initially gave me a message that something had changed and I needed to log in again, I can't remember if that was on outlook (yes, I use outlook to get my gmail) or on google play.


> not allowed to paste password in

This kills me oh so very much.


AutoHotKey


Is that something for phone or computer? Because I was talking about my phone.

Would prefer if keepass2android had some autotype feature built in for android :D


It has. Don't use clipboard to propagate the password but use keepass2android's keyboard.


This happened to me too. And having 2FA enabled makes it a pain when you are logged out of _all_ your devices. I checked my usage history but could not find anything. And this article really does not explain why.


I got logged out from multiple accounts on multiple devices. Today is being a pain :(


Happened on my phone and my Mac. I thought it was odd but wrote it off to a developer having programmed a computer to be stupid somewhere. Turns out I was right.


Incidentally, recovering a google account password from a phone, when you have access to said phone but haven't given them the phone number, doesn't work. I kept being told that google will send a token to the phone, and got a dialog saying 'do you want to log in?', i pressed yes, and nothing good happened.

Fortunately it was a test phone with a throwaway google account - otherwise i'd have known the password.


I suspect that their phone recovery service's capacity is overloaded right now with everybody else trying the same thing.


I wonder whether this is why every Google router (OnHub, Wifi) on Earth shut down about 2PM PST yesterday and requires a factory reset to get running again.

https://productforums.google.com/forum/#!topic/googlewifi/38...


I was booted off YouTube streaming on my AppleTV. Then my main account disappeared from iOS GMail app, even though a secondary GMail account was still there.

Was afraid my accoutn was hacked. My GMail password is unique and quite long compared to my other pw so I doubt someone could find it.

I added the account again on the iOS GMail app and then signed in YouTube and it was back to normal... hmm.


At google's scale, it seems "some" === 10 million :-)


This happened to my Android phone yesterday while I happened to be going around updating my passwords all over the Internet because the ones where I had used the same one were getting attacked left and right over the past few weeks. I never used that password for Google but I thought just maybe there was a forgotten access point to my account where I had. It sent me into quite a panic for 10 minutes or so. Needless to say, I'm now using a password manager for everything, even on sites where I wouldn't normally care if someone got in.


Happened on both my Macs roughly 12h ago, on two out of three accounts. Had 2FA configured for Google Authenticator, so took the time to refresh the OTP and bind it to 1Password instead.


Same here … I have a few Google accounts and on most devices, I was logged out (and I use the same Google account usually more than once on a device, so today is going to be busy!).


This happened to me. Since I've had my Google account breached once (and my mother had an awful experience), I have 2FA enabled... but the text messages weren't arriving (I guess Google was swamped or something).

I fortunately had the ten backup codes.

I'm really happy to hear it wasn't another attack on my account. It also reminds me that Google can be unresponsive :( and how much I depend on them (both my Gmail and my Android were warning me)


Only happened on my phone, not desktop/laptop. Haven't logged in as it could be some sort of attack. Any updates/info? Is a phone wipe in order?


Happened to all my email accounts I have on my Android phone. I thought this was a planned, intentional change by Google and so I logged in with 2FA...


When this happened to me on my mobile; I had to dig up the password from my password manager. Then it asked me to NFC/tap my physical security key (YubiKey). Then the screen disappeared and all was well.

I never seen that flow before with the security key usually it's the SMS/GAuthenticator.

Still haven't fixed my email clients on my Mac, lol.


Definitely a wild weekend for InfoSec everywhere.


I actually thought that some sort of fishing attack is going on because my old password didn't work and I have to reset it.


Happened to me too this morning, all my devices (mobile, laptop, desktop) all signed out :S I thought something fishy going on.


On my wife's iPhone, it asked her to enter her password again and the weird thing is that it now shows as a new device, called "iPhone" instead of "Cristina's iPhone" as it was before. A few hours later it happened on my Galaxy S7 as well but re-entering passwords fixed it.


I don't believe I'll be signing in again on my Android tablet. I've installed the apps I want, and being signed in is an extra risk, so I'll just curse Google every day for making me work around their begging me to sign in again, instead.


Same happened to me last night, but only on my phone. It said something "had changed" in my account wtf.


I had this hit me today. It happened right after I had disconnected from a VPN connection and connected directly to the internet. I assumed it was caused by a sudden change in "location". I guess not. I use 2FA, so I'm assuming I'll be ok. Maybe I should change my password.


Also had this happen to me and had my parents call me asking about it. A few warning bells did go off in my head, but as far as I could tell it all looked legit. Kind of disturbed by the lack of communication by Google though, since it seems to be affecting so many people.


I had this happen on two of my devices: Android Phone and laptop (macbook).

Seeing as it happened on two different devices, I have little reason to believe it's some sort of Android Malware. Attempting to login with my old password on incognito is a success.

Compromise or not, I recommend changing passwords.


This happened to me also. And: All the apps I used to authenticate, are gone (eg. IFTTT, Unroll.me, …).


I first thought that this was because I hadn't yet accepted the new-ish ToS after they decided to cross-reference history for ads a few months ago... signing back in popped up another 'agree to ToS' as part of the process.


Yep, happened on both my Android phone and the Remix Mini attached to the TV. No issues on any of the PC's I use though.

Would it even be possible (assuming say full ownership of the device) to fake the 2FA and still log you in to your account?


Could be this related to cleaning/securing up after the cloudbleed accident?



Happened on one browser, of one device this afternoon. Other browser on the same computer, and other devices, were not impacted...

Like most here I assumed it was just a random, regular occurrence, and didn't pay much attention.


Woke up to this message on both my phone and the wife's. Problem was, the correct password did not work in either case, so had to recover using a text message. This suggests something more serious.


I don't usually do +1 posts but...

Had this happen to me on my Android. Real pain in the neck since I have 2FA and I use an offline password manager that I had to re-sync to get the password over to mobile.


This happened to me. Thought I was either being fired & locked out of my account, or that I had fallen for a phishing scam. I don't know which one would be more embarrassing.


Happened to me. Signed out of all my devices & browsers!

I thought I was in sleep and had signed out of my mobile. But then same in mac. Then I thought some issue for sure.. And reports are here...!


Yeah, same here. I was trying to figure out if I had done something to trigger it or, worse yet, if I'd been "hacked" (or someone got close and Google noticed and killed all my sessions).


Me too! Said something in my account 'had changed' when nothing had. I've had to re-authenticate everywhere. So now they know.


It happened to me in my phone and Chrome browser on my desktop; but my password did work (using 2FA). Both use "app passwords".


Happened to me with a Gmail.com account and 2FA enabled. Checked Google's security log and everything seemed normal.


Happened to me too, only on a work email attached to a custom domain though and not on any of my Gmail.com ones. Strange.


Maybe they are migrating user credentials to SHA-2 and don't want to be too open about it till it's over.


I got bounced from iOS gmail app and can't sign back in in that app only. Logging in works everywhere else


Happened to me as well i just reached 100% utilization on Google's 19gb thought it was due to that.


Same for me as well. I just assumed my account was being under potential compromise, changed password, etc.


Same here. Both primary @gmail.com and on-domain accounts were logged out (not at the same time though)


Happened to my phone this afternoon. Odd, but thought it was because of my vpn bouncing my IP around.


Started happening around noon pacific for me.


Ahhy my wife mentioned this happened to her this morning, she thought her account had been breached.


I guess this has something to do with the new feature of sending money through Gmail?


According to Tavis Ormandy this had nothing to do with the Cloudflare data leak, but I'm not so sure about that. It may not be directly related but could be indirectly related to what Google did about the Cloudflare issue. It's just too much of a coincidence.


If there's anything that I've learned over the years it's that you can have two seemingly related outages that are in fact completely unconnected to each other.


Doesn't seem improbable that a Google employee somewhere might have chosen to invalidate a bunch of tokens based on the cloudflare issue. There are 3rd party sites that accept Google account auth. Also not that big a jump that it wouldn't have been communicated well. Google doesn't always follow up with some kind of "what actually happened" postmortem either.


Happened to me as well, I was signed out of every device I use google on.


Happened to my phone too.Suddden alert without any explanation.


Is there any kind of report or ongoing investigation blog?


This happened to me yesterday on my Android phone.


Happened on two accounts today.

ps: why the german text ?


I think google tries to get/guess your location and then gives you the language of that region.


Yes. If there only were a header that could tell the server which languages the user considers acceptable..

No, geolocation is probably a great idea. /s


Seems not to happen on 2fa accounts


It happened on mine.


Happened on mine too. In Chrome I had to re-auth with 2FA, in iOS I just had to pick my gmail account from the account list without even reentering the password. Very strange.


This happened to me on Hangouts.


Same here. Had to log in again.


Glad my Gmail account is no longer my primary email. Haven't seen issues with it on desktop, but my Windows phone is repeatedly spamming a "your Google account information is out-of-date" message.

Nothing in the Google Account panel for recently security changes though.


>We're investigating, but not to worry: there is no indication that this is connected to any phishing or account security threats.

This statement is as ridiculous as it gets.


Why?


They admit they do not have enough information to determine the cause, yet they suggest there is little security risk. They can either not know or not know, but not both at the same time.

At least that is how I understand the statement.


"They admit they do not have enough information to determine the cause" No, they didn't.

It did not say "we have no idea, but it's probably not security related". It said "we are still investigating, but it's probably not security related".

Those are very different statements. The first, yeah, reasonable complaint. The second could mean a lot of things. Usually, in these situations, people want to be able to put numbers on things, etc.

So it could reasonably mean "A something like "a bunch of machines are falling over in a datacenter with out of memory, we've determined why, it was an internal bug, fixed it, but are still gathering data about how much was affected, etc, before we say more"

Or whatever. IE saying "we are investigating" doesn't necessarily mean they are investigating the root cause, they could be investigating how long it will take to fix it, ....




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: