Hacker News new | past | comments | ask | show | jobs | submit login
Hacked Gmail Account (multitasked.net)
389 points by madewulf on June 26, 2011 | hide | past | favorite | 164 comments

The key part of the blog post for me is this: "To mitigate the risk, Google recently launched two-factor authentication, a mechanism that requires you to input, on top of your password, a code generated by an application installed on your phone (iPhone, Android and maybe some others). I have activated this today."

Anyone savvy enough to hang out on HN probably has a fair amount of valuable info in their Gmail account (domain registration info, passwords/access to shopping sites, etc.) and should activate two-factor authentication: http://googleblog.blogspot.com/2011/02/advanced-sign-in-secu...

Is it a little more hassle? A bit. But when someone else tries to log in from a new IP address in the Ivory Coast, or China, or wherever--they'll be prompted for a PIN and won't be able to log in.

I activated two-factor authentication as soon as I could on my Gmail. I think everyone reading this comment should too.

I'll take the opportunity to address some of the complaints I've seen in many comments through this page.

Q: It's too much of a hassle to generate and write a PIN with every login I do!

A: Not so. Google can 'remember' an authorized device for 30 days, so assuming you mostly use the same few devices all the time, the added hassle is very little compared to what you're construing it to be.

Q: But I use many browsers on many devices! (AKA: "But I'm a webdesigner!")

A: Google lets you create limited access, easily revokable, device-specific passwords. You may consider creating one of these for each device that you actually own, but then you're reducing your security so somewhere between 1 and 2-factors.

When making that choice, keep in mind that on a worst case scenario, access to your email = access to all of your other online accounts.

Q: I don't always have access to my mobile!

A: No worries! When you set up 2-factor auth, Google makes you print a little piece of paper with 25 one-time disposable passwords for just such cases.

This is all true and correct, but I ran into a paradox when I had 2-factor auth turned on about a month ago. To save you all the long story, I was forced to use the backup disposable one-time passwords after I couldn't access my phone (signed out of the Authenticator app) and the backup number was a Google Voice number (stupid, I know) which required signing into the account...

For some bizarre reason, none of the one-time use passwords were working at all. This was shocking and I realized in an emergency, this would not do. As soon as I got net access and into the backup email address, I turned off 2-factor auth. I'm sure for others who didn't have this edge case paradox issue brought on by stupid me and actually working backup one-time-use passwords, 2-factor is a great choice. And I wish it were for me as well, but it isn't right now.

I ran into this as well (Google Voice handles my texts and I couldn't read them without being logged in) but they provide an option to call as well (even though I didn't choose this as my preference) and Google Voice still rang my phone without me being logged in. So disaster was averted.

Hmm, I only got a txt message option to backup number (gvoice) iirc. My memory is a little hazy though.

Here, let me grab a screen for you:


Notice the 'Get a verification code with a voice call' link. Hopefully you live in a country where they speak your own language, because here in Brazil, whether you get the call in English or (either) Portuguese is completely unclear.

Here's what happens when you click the 'other ways' link:


The first option works as usual, the second accepts only the latest seems to have had unexpected behaviour with you, and the third will take you to a 2-step—specific last-chance recovery form.

I would really like to activate two-factor auth for my GMail account, but I just don't trust my phone that much. The battery life is terrible, and I'd be afraid of losing access to my account if the phone breaks. Or what happens if I lose my phone? Or if someone steals it?

Presumably there's a way to handle that case, but it still bothers me. On the plus side, I'm using a Google Apps account with a domain I control, so I could quickly switch to a backup mail provider, but it's of course a huge hassle, and I keep a lot of email in my GMail account.

How do you deal with these kinds of issues? I really do want to use two-factor auth, but this stuff scares me about as much as the possibility of getting hacked.

Note that besides sending codes via SMS, Google's two-factor authentication also supports time-based one-time passcodes (TOTP) that can be generated from a mobile device. They also support a list of one-time printable codes. I kept a couple of copies of these in my wallet and at home.

TOTP is an open standard and the mobile app is open source:



(Disclaimer: I worked on this.)

Looking at your links and the authenticator, is it the case that any third party web app can use the google authenticator "merely" by providing a key and account name?

Is anyone doing that?

I really like using the authenticator on my phone and would love to see other web applications support it.

But I am curious, why isn't the authenticator itself password protected?

Also, fyi, while I understand how to use application specific passwords, I have no good understanding of what they do, how they work, why they are safe or why I only have to enter them once. So they are confusing to me.

Application Specific passwords are designed to solve the case where an application requires you to enter your Google username and password rather than passing you to Google themselves to do the authentication.

The obvious risk of this model is what happens if an untrusted client steals that password.

Since you haven't given it your actual Google password It can still access your data, but it can't change your password (you have to enter your main Google password to do that) or change other critical settings, and if the application is misbehaving all you have to do is click revoke, and its gone.

You only have to enter them once because most clients nowadays provide a 'Remember my Password' functionality. Google assumes you will use this, so only need to enter your password once. If the password is forgotten you just generate a new one.

Thanks for the explanation, and sorry, I still am lacking a good model for what is going on.

You only have to enter them once because most clients nowadays provide a 'Remember my Password' functionality. Google assumes you will use this, so only need to enter your password once

Is this really true? Because the documentation for the one time auth doesn't indicate anything like that.

So I am confused as to what is happening in the background on Google's side.

My pseudo-model is that their password acceptance library looks for a correctly identified two factor authentication OR a one time password out of the user's one time password table.

But then I don't understand why these one time auths are one time! If someone finds my phone, or accesses one of my other net accounts that was authorized by my one time auth, they completely win until I can get back to google's page to revoke them.

And related, I don't understand why the authenticator can't generate these one time passwords -- MANY TIMES THAT WOULD BE A LOT MORE CONVENIENT than having to go to the specific page on the web.

And also related: why is there no pin or password for the authenticator?

These are just questions I have -- I'd love to read a page or two that discusses these issues -- I think having a good model of how and why it works as it does would help me secure my data.

The reasons why the authenticator cannot generate Application Specific passwords and why it does not need a PIN lock are the same: the entire point of 2-factor authentication is that the authenticator by itself is not enough to gain access to your account. You must separately provide both a code from the authenticator and your real password every time you log in.

There's no such thing as a "one time password". There are "Application Specific passwords" which work exactly like your regular password except that they limit access to critical account settings and can be created/disabled at will. If someone obtains one of your Application Specific passwords then they can use it to log in and access your data until you revoke that password but they cannot change your real password and deny you access to your own account.

"If someone obtains one of your Application Specific passwords then they can use it to log in and access your data until you revoke that password but they cannot change your real password and deny you access to your own account."

Ah. I think this is the key I hadn't understood till now. Thank you.

>There's no such thing as a "one time password".

Some people call the code generated by the authenticator a one-time password, because it can't be reused.

Yes any application can use it. I currently use it as a requirement to log into my server via SSH.

However, you are using a PAM module that was developed by Google. I'm not sure if Google's Authenticator program has enough of an API to allow any program to implement 2-factor authentication using their program yet, but it could be possible.

Python code to validate via Google authenticator (sorry, self link): http://www.brool.com/index.php/using-google-authenticator-fo...

Cool. I hadn't taken a look at the PAM module personally, so I didn't know if the code was as tightly nit to that implementation as some other crypto code (I'm looking at you, scrypt).

Good to see it can be implemented outside of Google products.

If the program uses the same algorithm I don't see why not. Here is a module for Drupal that uses Google Authenticator: http://drupal.org/project/ga_login This seems to be the implementation it's using: http://code.google.com/p/ga4php/source/browse/trunk/lib/ga4p...

Edit: of course, this is just another implementation of the TOTP method. It does not use Google's infrastructure to send you SMS / voice calls containing the code.

I know this is way off topic, but "time-based one-time passcodes" mapping to the acronym "TOTP" bugs the heck out me. Why are the hyphenated terms not treated equally by the mapping? Argg... I'm going to be thinking about this for hours!

It's only weird if you think about it.

I actually had the same concerns, but after going through it they give you two ways to solve that:

One is you can set a backup phone to use to get into the account, it can even be the same phone you have the authenticator on, so as long as you have the same number, you can access it. The backup phone option can also work with landlines through voice.

They also allow you to print out a set of numbers you can use in case you lose the authenticator to get back into the account.

[edit] Added voice backup note.

They provide a list of backup codes which you're meant to print and put in your wallet.

"I would really like to activate two-factor auth for my GMail account, but I just don't trust my phone that much."

I also don't trust my phone enough. But the bigger reason I don't do this is that I don't trust Google enough.

My phone number is private and none of their business. I don't want to give them yet another way to track me.

Here is an idea: if security matters to you, get a better phone. They sell them in shops.

Does gmail make you enter the 2factor auth code to /remove/ the feature as well? If it doesnt, it should.

That way, even if a users computer gets owned with a trojan, the attacker couldnt change the gmail password or remove the 2 way auth tool without first having access to the phone.

Just checked: Google DOESN'T require 2-factor auth to remove the feature, OR to change your password for that matter, if you're accessing the account settings from an authorized "don't ask again for 30 days" device (which is a trojan scenario).

Which makes the system essentially moot. That seems like a substantial screw-up.

Not really. When the guy had regained control of the account he could have signed out all other sessions, requiring all sessions to do 2-factor auth again.

But if the person re-authenticating has a trojan on their computer (as may have been the case here) there is _nothing_ that can be done to prevent a third party from accessing their stuff.

The point was that the 2-factor would have already been turned off by the hacker at that point.

What if you lose your phone, though?

The setup forces you to go through two backup steps.

First it gives you a list of 10 codes that you should print and keep save. Looks like a TAN list. You can only move on if you check 'I printed these items and will protect them like my first born' or something like that.

After clicking next you are able to set up a phone number that is used as another fallback. Testing if you entered the number correctly is optional here, but worked like a charm.

I'm going to look into it when I get the time, but I hope you can add a second device. One of the not-inconsequential benefits to being married is the additional redundancy.

If I can't remember a password, my wife might.

Hopefully I can set this up with her phone as a fallback.

They have you print out a bunch of one-time passwords which can be used to access the account should you lose your phone.

You get 10 one-time use backup access codes for that case (which YOU need to keep secure).

Google gives you backup codes that you have to write down or print out and you have to give them your telephone number so they can text you other codes or call you with an automated message.

When you're setting up 2 factor auth, they ask you for a back up phone number.

Maybe now that it has been pointed out, they will fix it.

It doesn't really matter that much. The value of hacking your account is accessing the stuff that is in the account. Changing passwords should be less interesting.

If they have a trojan on your computer, they can still access everything in your account. 2-factor auth doesn't help. Very little does help if you have a trojan on your computer.

I admit in the scenario played out here - hacker tries to scam your friends - changing the password might help the hackers a little bit. Presumably they want to mail back and forth with your friends (first a plea for help, then sending a bank account number).

Still, that is only a minor danger compared to major damage of accessing your account, which the trojan does anyway.

For example even without a password the scammers could just claim that they have a new email address.

Perhaps a happy medium (between security and practicality) would be to have the option to only apply two-factor lock-down to "admin" type functions(i.e. to change cell phone, change secondary email, etc). This would allow a hacker to perhaps gain access to your email, however would not be able to completely hi-jack your account.

Exactly right. I have been saying for ages that services like Google, Twitter, Facebook should offer two factor. Now some finally do, it is a shame not to take advantage of it: http://www.rakkhis.com/2010/08/why-dont-facebook-twitter-and...

One of the main reasons I had some piece of mind when my account got hacked at MTGOX is that I had two factor on my Gmail: http://www.rakkhis.com/2011/06/i-was-hacked-mtgox-bitcoin-3-...

After this and another incident with a colleagues wife, I have made a note to set it up for my wife's account also tonight.

I would really, really love to activate two-factor authentication for my Gmail account, but Google requires me to have a phone number as a backup in case I lose my phone, and I don't live in one of the countries supported by Google for the backup phone numbers.

I hope they expand the list of allowed countries for backup phone numbers soon, including support for the "less important" countries like mine. Or else allow activation of two-factor auth for people who agree to have only the list of printed one-time codes for entry and no backup phone number. Preferably the former.

I just turned it on on my account now, and I was able to skip the phone number step.

I used Skype-In for this.

I live in the UK, but only own a mobile nowadays. So I used a local Skype number for things like this.

Just never let that number expire. And now your Skype account needs a phonemenally complex password too.

Matt, What about someone who travels for most part of the year , in my case working out of asia for larger part of the year, but US being my home base. I could put my US cell phone (which is deactivated for most part of the year - like this year my cell will be deactivated for the whole year except for 2 months). I don't carry a permanent cell phone in Asia.

How could the 2 step authentication help me - say I register with my US cell phone and I am out of the country for most part of the year?

What evan_ said: you're using the phone as a pocket computer, not as a phone. You don't need phone service at all--the authentication program will run on your phone even if you don't have service or you're in a foreign country.

Enough people have asked these (very reasonable) questions that maybe I should do a video about two-factor authentication.

This video made by Google is pretty good and covers many of the concerns people have: http://www.youtube.com/watch?v=zMabEyrtPRg

Nice--you're right, that video covers pretty much everything!

You don't actually need to have cell service- there's an iPhone app (and presumably apps for other platforms) that lets you just generate new codes at will. You only need internet access to set it up initially, and you can do that with wifi.

won't help you if you have no phone at all but you can generate one-time-use passwords at will, so you could just stock up I guess.

Actually, it looks like you can only have 10 active one-time passwords at once.

On the page that lists the current ones and lets you regenerate them it says, "Be sure to throw away any previous versions. Only the latest set of backup verification codes will work."

Google voice. It was a little "Inception"-like to set up but has worked flawlessly for me. As long as you take a mobile device with you that is authenticated and you have wifi access you're golden.

Re: "Anyone savvy enough to hang out on HN probably has a fair amount of valuable info in their Gmail account"

Even if somebody else does get access to my (non gmail) email account, all they're going to see is PGP encrypted emails:


Of course, you have to be running your own mail server to implement this.

I also noticed that, in Germany, currently, the codes take several minutes to arrive by SMS, which is a bit of a downer when trying to check email.

Sure but you only need to authenticate a browser once every 30 days (assuming you allow the cookie to stick around). Assuming that you are only accessing your account from a few (preferably only one or two) trusted machines, it's really not that much of an imposition.

Now, if you are checking your account from random PC's at internet cafes all over Europe, and making yourself vulnerable to keylogger attacks, you are pretty much screwed anyway. Even if you use two-factor authentication, and remember to clear out the cookie before you leave, an attacker can still steal the cookie and use it to take over your account (or at least steal all sorts of secrets from your gmail account).

Two-factor authentication will definitely help, but it doesn't protect you against carelessness.

I'm in the USA. Here they arrive within seconds.

Disagree strongly. Anyone savvy enough ... has probably no password in his/her gmail at all. Btw, domain reg info can be searched anyway.

Also, if you got a strong and unique password, and do not login from untrusted devices that may be keylogged, you're quite safe already.

There's also the case of resetting your password for various other services. If someone can get access to your email account, it might not matter whether your actual webhost or domain registrar password is in your Gmail. The bad guy can force a new password or password-reset link to be sent to your email account, then intercept and use that link.

I already use a strong/unique password for Gmail, and I do my best not to login from untrusted devices, but adding two-factor authentication reduces the potential attack surface that much more.

For online accounts (including email), you're much more likely to get phished than have someone brute-force your password. While keylogging malware is an issue, it's generally less prevalent than successful phishing attacks. There's also the threat of compromised password databases from unrelated web sites (see http://twitter.com/lulzsec) being leaked, and if you share the same credentials, that can affect your email account as well.

2-factor auth gives you a considerable security advantage over "a strong and unique password" and not logging in from untrusted devices - I'd recommend you try it.

(I work at facebook, and we offer a similar thing called "login approvals" - go to "security" under https://www.facebook.com/editaccount.php to turn it on).

Matt, I'd love to if I could. My issue is not from living in an unsupported country, but that Google Authenticator requires Android 2.01. However everywhere mentioned on the 2-step authentication site "Android 1.5" is blared at me.

As a 1.5 user there is nothing that hacks me off more than getting my hopes up at an app my phone can actually use (a rare occasion these days) and then having it snatched away. I don't blame Google for supporting 2.x and up, but lies are unacceptable.

You don't need any specific software to be able to use two-factor authentication, it works nicely for me in any Linux distro I've tried and also Windows Mobile 6.1 (yes I know)

The software might make it easier than receiving an sms which needs typing in, but all your mobile applications can still use the system - you just generate a new pasword for each application (as you would for a Google Talk client on your desktop).

My laptop has encrypted hard disks so is set to remember Google passwords for 30 days. I can login from other devices using my pasword and an sms validation code which expires as soon as I log out.

Their tool is quite nice on android, all accounts will be shown in one screen, very convenient. I have all my gmail accounts (even spam ones) registered to ensure people don't get spam from my accounts (which were compromised). I also changed the spam accounts' passwords to a generated 32 char password to be on the safe side (I only use them for once in a while access).

I'd be happy to use two-step verification if I could. I've been regularly attempting to enable it since it was announced. Gmail refuses to accept any of my phone numbers because the country where I live (Kazakhstan) is not supported. Tried three major mobile operators to no avail.

All well and good, except 2 factor authentication does not work for google apps gmail accounts yet :(

It does work, you just need to enable it for the domain: http://www.google.com/support/a/bin/answer.py?hl=en&answ...

It'd be nice if I could turn on two-factor auth in case i notice something fishy with my account. Basically, an emergency function that would sign out all sessions and raise the bar to get in once a user feels their account might be compromised.

Is the last chance form still active when you use two-factor auth?

With two-factor authentication, what happens if your phone (with Gmail logged in) is stolen?

I am using Thunderbird everywhere. Any one knows how it works with two-factor authorization?

What I'd like is one-factor for my typical "log in and check mail, write back to a few people" use case, and two-factor or a second password that kicks in when I (or a bad guy) tries to:

* Log in from a computer that's never used this account before

* Set up a forward

* Make a mass mailing

* Change the password

* Do extensive searching or searching for suspicious terms ("password", "credit card", etc)

* Export a large amount of mail

...and other such things. That way, I don't have to be inconvenienced by constantly having to use the second factor, but would still survive a stolen laptop, keylogged passord, or sniffed cookie with a contained amount of damage.

I've been on it since the first day they would let me, and I couldn't be a larger fan. I know how vulnerable I would be if I lost control of my email account, and it's scary. I don't trust the recovery options with google because they're useless if someone gets your password and changes it.

I lost my phone skiing, used an application to find it, and realized someone else had the phone already. Without two factor authentication I would have had to change my gmail password, update it everywhere, and type the wrong password in for the next 2 weeks. Revoking the application was simple and made me feel better about the situation. This was huge for me.

I would recommend everyone who keeps a fancy phone with them nearly 24/7 to enable 2 factor authentication.

What it's like to use: -Once every 30 days I have to put the code in. -I keep a paper copy of the 10 backup codes on me. I've had to use 2 of these for when my phone was dead or lost and I was logging on to a new browser. -I've also emailed these codes to an account that is totally unaffiliated and has no link to my google account. -I have about 3 other applications I had to set up the application passwords for. This was less painful than I expected.

The real risk is when you're in a worst case scenario - without your wallet, without your phone, and every online email you have is compromised.

Even if someone does manage to get through the 2 factor authentication, there's a pretty good chance they won't disable it or clear out the emergency codes.

Because of the long-state persistence of sessions in Google accounts, this shouldn't be a problem unless you're logging in from public terminals.

I've had Two-Factor on for about a week now and it works very, very well. Most annoying part is setting up the one-off auto-generated passwords for the applications that can't use two-factor.

I don't think it's annoying. I think it's actually enlightening: It shows you excactly how many applications have access to your Google account. And how much potential there is for a screw up.

Agreed; I got half way through setting up Google's 2 factor but then was told I had to use it for every login, instead of say when I was logging in from a different IP or doing some big change.

The second factor auth can live in a cookie for 30 days. Since I use the same two computers all the time, I only have to pull out the 2factor authenticator app every couple of weeks. Not a big deal.

I am really, really happy to have 2factor auth for my gmail account. In retrospect, I think it's crazy I hadn't set it up before.

You don't actually have to use it on every login. There's an option to remember a computer for 30 days. I have this option ticked in a single browser on my main laptop, and I input the verification key for everything else. Not a pain at all and definitely worth the added security.

If you use more than one browser per machine, you need to reauthenticate for each one, which multiplies the inconvenience. Also the need to generate passwords for apps that don't use 2 factor authentication (IMAP, IM clients).

Although, I still think it's worth the added effort.

If you feel your machine is well-secured and your passwords are properly encrypted, you might want to set up a device-specific password for yout machine, with limited access somewhat as suggested in the top post. Then you'll only need two factors to access your account settings.

The downside, like I pointed out in another comment [1], is that even with (hypothetical) read-only access to your email account, a malicious party could arguably steal your accounts elsewhere on the net — that being the main reason why you'd want to have 2-factor authentication whenever possible.

But the trading the 2-factor auth for Google's disposable, device-specific passwords is not at all unreasonable.

[1] http://news.ycombinator.com/item?id=2699867

30 days, divided by the number of computers you log in on. In my case that could be as much as 7 machines, so I'd expect to need to log in every 4 days or so. Definitely more hassle than desired.

When you log in with 2 factor you have the option to validate the current machine for 30 days.

Then again, with as little as read-only access to your inbox, someone can steal your accounts in other websites.

Plus, the two-factor authentication may sound like a hassle but it really isn't. You get used to it really fast, and you have to use it surprisingly less than you'd expect because of the option to automatically remember devices (for a month).

If you don't mind using gmail over IMAP/POP then you can essentially do this. You can create a special password for access over IMAP/POP that does not require 2-factor authentication.

Then just use the web interface for managing your settings.

Of course, this isn't a real solution and only will work for people who already are not using the gmail web interface.

What I'd like to see is these criminals hunted down and brought to justice.

I don't understand why so few comments mention that the "last chance form" is a huge security hole. It seems like most of the information for filling it can be seen by someone over my shoulder as I use Gmail. And it's apparently completely automated and can be tried multiple times. I use a strong passphrase and two-factor authentication for a reason, and this defeats it. I already disable the "secret questions", since I don't want cracking the account to be much easier than cracking the passphrase.

I would like Google to give me an option to disable the "last chance form" for my account. Or, if they inisist, I'd like the "last chance" to be to fly to Mountain View and show Google my passport or a court order.

EDIT: and for extra bogusness, it seems that the information needed for the "last chance form" can't be changed if it's compromised. I mean, I can change my passphrase if I suspect it leaked, but how do I change the date when I started using Gmail? Sounds like the best thing to do the moment a Google account is compromised is to close it.

Except you can't close it anymore.

I meant closing it after going through the "last chance" form. Although it wouldn't surprise me if someone could go through it again and reopen it. Also, if you left a computer with a Google login where someone could access it (not smart, but people can slip up), then I guess the paranoid/high security thing to do would be to close the account, since there is no way to know when the gathered information would be used to access it. Changing the password would be worthless.

I went through this two years ago. My ex was hacking into my accounts.

- He used the 'last chance form' to get into my gmail by entering the password I'd given him a year before this (I'd changed the password twice after giving him that password)

- He ran a dictionary attack on my college email which didn't have captcha's, then hacked gmail using the password that worked for my college email

- We were using shared vnc in college, he found his way to my firefox through a mutual friend, installed a plugin that sent him all POST data and got into my gmail again

I created a new gmail account after each incident. I had to abandon each gmail account once it was cracked because of the 'last chance form'. Back then, you only had to give it one or two correct past passwords, and it gave you access. On hindsight, I've been remarkably dense, but it was a good, early lesson.

Sorry to focus on this (this is Hacker News after all), but did he write his own Firefox extension for this? Or is there one available?

He told me he wrote his own.

To return from nerd mode, did you consider at some point relating your story to an uncle, and then explaining the concept of "rubber hose cryptanalysis, and letting him connect a few dots?

:) No. I was playing a kind of zero-acknowledgement game, as a friend called it.

And now we know why he's your ex.

This is exactly why I'm using two-factor authentication for gmail (heck, I even ported the two factor auth code generator to my watch so I don't have to panic when my android phone runs out of battery - http://tnhh.net/pancake/chronos-otp.xml :-)

However, I don't use Gmail for 'everything,' it's just too dangerous and I feel doing that way Google knows more about me than they should. I think everyone should be hosting the main email address under something that they can sure control (your work/edu account, or a paid email service). My main account is hosted on fastmail (I paid something like 12 bucks for three years) and is cloaked under a dozen of other email addresses.

Plus, for fastmail you get a free smtp account, and a standard IMAP account (gmail's IMAP is weird). And they will respond if you're in troubles.

Gmail's IMAP is awesome. I remember the first time I connected my iPhone to it and wondering how to archive a message. "Well, it stays in 'All Mail,' so I'll just move it there." Presto! It worked.

Naturally, you have to like the Gmail conventions to like the Gmail implementations.

From the point of view of someone writing an IMAP client, Gmail's IMAP implementation is not awesome. It's not horrible either, but it does have quite a few quirks, some of which can be a real pain to deal with.

Just because you pay for a service does not automatically ensure that it's safe and secure. At best you're able to get ahold of 'real people' when shit gets down, but that is also possible with Googles paid solution, Google Apps.

I personally trust Google more than I trust some random E-mail hosting company. I KNOW that Google enforce very strict user control, I have no idea how Fastmail or any other enforce.

Yeah, trusting Google more than some random E-mail hosting company is probably right. However the catch is that in the last resort I always have my credit card number for the proof of ownership.

Fastmail is not really some random company (one of the companies that I feel they know what they're doing) and is very decent in providing user access control. They have Wubikey integration and a dozen more methods to make sure your account is safe. Also, they implemented who sign on what IP years before Google. Btw -- I have 7 days of sign-on history.

A paid email service may be better than Gmail, but using your work email as your primary address is a very bad idea. Almost every employer's policy is that they can access your email whenever they want, and (at least in the US) you can be terminated at any time for any or no reason.

I've recently switched to Fastmail too (the website, for those interested, is www.fastmail.fm). You'll pay for it, but it has a lot of nice features you won't get for free. It also has two-factor authentication like Google (via SMS), but you need to pay for each SMS it sends.

I also use Fastmail. I'm grandfathered into a plan they no longer offer: a one-time payment which got me a modest (16M) quota (I download and purge my email from their service so that's not an issue for me) and access to their SMTP service.

So, at this point, doesn't Fastmail know more about you than they should?

Well Fastmail is in the business of providing an email service. Google is in the business of targeting advertising to you based on what they know about you.

Fastmail was recently acquired by Opera. I don't know if that changes anything.

Fastmail has the email business and they got my money for that -- so their intention is clear. You have an awesome Google 7GB email box for paying Google nothing. It's not clear what they want to and will get from you.

I'm not saying that wonderful things are never free, Free software is an example. However, keep in mind that Google is a business and they'll have to make money. They are not idealistic Richard Stallman who can squat from one house to another.

> most distressing to me is that I am still unable to explain how those guys were able to get access to the account twice after I changed the password, security questions and backup email address from my Mac that does not seem to be compromised.

It sounds very much like the hackers were also using the "last chance form." Consider that all of the information it requests is available through Gmail - account registration data, names of tags, most emailed people, and verification code (which was apparently emailed to him, and therefor present in the compromised email account) (Note: I haven't used the form myself, I'm going on the information in the article).

Also, the title is a bit link-baitish.

My impression is that these hackers would have much of the scamming process automated. Maybe it was a real person filling out the recovery form, but I doubt the initial scheme (set up redirecting, send spam mail) was performed by a human. Perhaps the hackers had saved every email in the account and were able to extract the necessary information to do the recovery. But the author admits the Gmail account isn't valuable - the marginal gain from recovering the hacked account seems negligible for the hacker to intervene himself.

It seems more plausible that the recovery form has been gamed. The initial hack was programmed to extract the information in advance and possibly even perform the account recovery if necessary. They know exactly what and how much information is needed for Gmail to accept the recovery, whereas the author had to call his s.o. to fill out all the fields.

Either way, it sounds like the Gmail recovery form should be revised. The author argues recovery is already difficult for the true owner to perform. Google could, while keeping the automated process, make it harder for an algorithm to recover the account than the real owner.

I think the windows xp box he says he had his wife turn off had a trojan in it.

That doesn't make sense. He changed the passwords, as well as using Gmail's ability to end all other sessions. Unless he was giving his SO (he never calls her his wife) the password and she was logging in on that computer, there should have been no way for a trojan on it to access the account.

They were probably using the "last chance" form to reset the password. That form checks the IP address; if they had control of the XP machine, they could have been using it to submit the form with a reasonable IP address and get the account again. Once they lost that, no go. At least that's the only thing that I can think of.

Ah, that makes sense. I didn't realize that the form checks IP addresses, though, in retrospect, that's an extremely obvious security feature to have.

I haven't set up two-factor auth yet because I don't always have my phone handy and my understanding of it is that on each log-in you need to use both factors. My comments below are based on this understanding so forgive me if I'm wrong.

What I would love is if instead it asked for both factors under these circumstances:

- option A - on every login like it is now.

- option B - at least once every X days, with a warning that "within the next three logins you'll need to use your second auth" so I will know when it's coming without being locked out because my phone is dead.

- in both of the above cases ALWAYS require two factor auth every time I change the account settings (like password, recovery addresses, etc.) Possibly even require it when I try to do things like purge a mailbox entirely or bulk email all my contacts.

Having this blended option would make it a no brainer for me

Edit: Thanks all for the clarifications below. I am going to give it a try.

As for not always having your phone with you, you can print out one-time passwords. So you print some out, put them in your wallet (and maybe more in your home), and then if you don't have your phone/your phone breaks/whatever, you can use one from that list. But then that one off of that list is dead.

Also, I'm pretty sure there's some option where it only does the 2nd factor once a month if it's on a computer it recognizes.

Yes, when you enter in the second-factor digits you can tick a box to have it "remember" you for 30 days on that specific machine.

It has the option (on by default actually) to remember that session for the next 30-days.

I turn it off everytime, because I want to be asked for my second factor regardless of the situation.

In the event I don't have my phone with me, I carry the printout of backup codes in my wallet.

For those that have Android phones with CM7... you can now assign actions to long-press Home and Menu. Long-press home is usually the task switcher (but you can change it to other task switchers with more features). I have my long-press menu set to open Google Authenticator with my Google second-auth OTOP up... so I'm two button presses away from my OTOP code.

Just thought I'd throw it out there. I know it's frustrating to have to unlock, quit app, (wait for the home screen on the slower phones), switch to the App Drawer, scroll, click.

It asks on every login or you can opt to not require the second factor for 30 days on that machine via a checkbox when entering the other factor. You can also print out a list of 10 one-time use codes to log into your account if you don't have your phone handy.

I read a story similar to this a few weeks ago. The guy recovered his account, changed all passwords, but then it was snatched again. Rinse and repeat, I think he got it back in the end though.

Very strange - he thought he'd been targetted specifically.

tl;dr: don't give your password to anybody. we've been saying this since the mid-90s but people still seem to slip up.

gmail's two-factor auth is nice and easy with the handy iPhone app. of course nobody wants to complicate something like sign-in, but email integrity is very important. facebook also has a similar two-factor auth process (though not as nice; they text you, vs a nice app).

two-factor is a no-brainer at this point for managing your identity, especially given the huge volume of leaked passwords we've seen in the past month. it only takes a few minutes to set up and almost completely eliminates problems like the one in this article. if you haven't set it up yet, do it now! much easier than learning the hard way.

FB has been requesting my phone number to complete the authentication backups for a few weeks now, and the ability to opt out is not clearly marked. I have the nagging feeling that this is much more about getting my cellphone into their system.

Or just the fact that they are overwhelmed by users requesting to get their accounts back. A two-factor solution is the only solution to the problem with password reusing that we've been fighting since passwords were first thought of. People are dumb, you can tell them a gazillion time to never use the same password on different sites/programs/whatever, they still do it.

Also, by providing it via text messages compared to an application they reach out to a much broader audience. Not just tech-savvy people like you and me, who probably already had a proper password policy.

Which is a bit silly since Facebook already has one of the most popular mobile apps installed on millions of devices.

but facebook also has many million users who don't have an iPhone nor android phone yet, who can still use two factor auth (i.e. my girlfriend)

Given that he was sorting out his gf's account because he knew her password, that's not at all an accurate tl;dr.

A friend of mine got his domain stolen recently. He believes his gmail was brute-forced through a known vulnerability/feature when POP is enabled http://seclists.org/fulldisclosure/2009/Jul/254 . He did a write up http://secretgeek.net/sg_hijack_1.asp and here http://secretgeek.net/sg_hijack_2.asp . As soon as this happened to him I turned on 2-factor auth and it works very well.

This happened to my girlfriend and I had a similar freak out. After asking a few more questions she remembered getting an email to enter her gmail password to get more storage space.... She knows better, but just didn't think about it - it seemed legitimate. Ask your friend more questions, I bet she fell for the same scam. I've met 4 people now that fell for the same one.

I'm also very concerned about the no 'restore' option from gmail. What good are google backups if you can't initiate them?

For the record, I don't think that Gmail security is bad, or worse than something else. I just wanted to report my story, as I thought it would be interesting. I am a bit overwhelmed by the reaction to this post, honestly.

A friend of mine had a similar problem with her Hotmail account.

It had been hacked, but the recovery questions hadn't been changed (mainly, I think, because Hotmail makes it incredibly difficult to even find the option to do this). We reset her password, changed everything, and the account got re-hacked within 30 minutes.

This happened three more times until, eventually, the recovery questions were changed and we couldn't get access. I posted on the support forums, regained access, changed EVERYTHING (this included checking for email forwarding rules, and so on).

Now, through all this, I told my friend to not sign in to the account (or use MSN) from any computer except mine, to ensure that it wasn't a keylogger or Trojan that was causing this. My machine was running an up-to-date version of Ubuntu, on my home network, using HTTPS. So I'm pretty sure it wasn't a trojan.

Unlike Google, Hotmail requires a human to look over your problem, so after the third time we had to wait for a day to get the account accessed, we just gave up. I signed in, copied down as many contacts as I could, then deleted all the incoming emails. We ended up having to abandon her Facebook account too, as the hacker accessed that and was spamming her friends. Her Tumblr, and a couple of other accounts were toast also. We almost her Facebook back, but the hacker deactivated the account.

It was very frustrating trying to solve this, because I didn't know how the account was being accessed! I opened a ticket asking the Hotmail support staff to tell me how the password was being reset - not any more information, just the method - and they came back with the standard "we won't reveal information unless you have a search warrant or court order".

I love modern technology and all, but sometimes it's REALLY frustrating.

I bet signups for Gmail's 2-factor auth spikes when stories like this start circulating. It's awesome that they provide it. I fear it might be too much to ask for my mom, grandmother, etc, who are probably more vulnerable to being attacked in the first place (weaker, duplicated passwords for sure).

I've also activated two-factor authentication, and I don't think the drawback he mentions are that problematic:

This indeed increases security, but tends to be a bit cumbersome (I often have a depleted battery, for example, which could prevent access to my emails from a computer) and does not solve other case (like somebody stealing my laptop and using an already opened session).

1) You can print a list of one-time passwords and store it inside your wallet. If your phone's battery is depleted, you can use them to log in. You should store another copy of this list in a safe place, just in case.

2) If somebody steals his laptop, he could always log from another computer and disable his session and/or change his password. He should use a password-protected login on his laptop anyway, with an encrypted drive.

My Gmail account recently was compromised due to the MtGox intrusion, as I had completely gotten lax with my password security practices (I noticed because I was no longer able to log in to my Google account). The worst thing about it is I knew better. I had 4 different passwords that I would use for different types of sites, and it just so happened that my MtGox and Gmail passwords were the same.

Thanks to my backup email account and 1password's ability to search accounts by password, I was able to restore access and change every account password I had gotten lazy about, before any damage was done. Turn on 2-factor authentication for my Gmail and Google Apps accounts, and now I can finally feel secure with only 2 passwords I have to memorize (Gmail and 1Password).

One thing you should check for if your email was compromised is the pop3 forwarding and imap. Attackers will forward your emails to their own accounts using either or both. This makes it very easy for them to retake your account.

Another note is to check your "Reply-to" email.

A friend of mine's Gmail account was compromised (say her email was iluvkittens@gmail.com) and they had subtly changed it (perhaps to iluvkitttens@gmail.com). Her oblivious contacts (including me) replied to her "cry for help," but the messages went straight to the hacker's address. This kept her contacts in conversation with the hacker even after she regained control of her account.

It would be nice if Gmail and Facebook had two separate passwords: one for everyday login and another for administrative functions such as changing passwords, forwarding options, etc.

For those of us who never travel outside the continental U.S. (or wherever), it would be nice if Gmail had an option we could check that read, "Disallow international (non U.S.) access to my account."

This would add a small measure of protection, though is not ideal as compromised machines (or proxies) in the U.S. could still access the account.

I'd say this is happening a lot more than we actually hear about. He also raises a good point about how if you gained access to a lot of people's gmail a/c, you'd also get access to a lot of other services they use via the password reset form.

So, it seems that the XP machine was the source of intrusions - I'd like to see a follow-up.

What role did the separate XP machine play? After changing the password and dropping all active sessions, what else is there to allow someone in?

I have no idea, but he mentioned that the e-mail account was accessed from it, and once it was shut down, the intrusions stopped.

Something i do quite regularly is google search each of my passwords, and I would advise anyone to do the same.

I found several older passwords with my login up on a file-sharing website not so long ago. Luckily I didn't suffer the same fate as the writer's wife.

Also, I believe that google should have 'paid support' in place for this type of situation. No doubt it would be profitable for them, and would save many people quite a lot of pain.

Following your tip by curiosity, I googled one my old passwords, which was leaked in the most recent Lulzsec release (in MD5 form).

And there it was, in cleartext, on the second page of the search results, along with the username that I used on battlefield heroes beta.

It was on a pastebin with another 60k combinations of usernames and passwords.

The password was only 6 characters in size though (along with every other on that pastebin), so I guess that made it a certainty that it would get cracked.

How about the other combos, were they also all 6 characters in size?

Something i do quite regularly is google search each of my passwords, and I would advise anyone to do the same.

The problem with this is that your password could end up in your web history and autocomplete. The other option would be an incognito session, but I think that could still lead to it ending up on Google Suggest if you do it often enough.

I'm not worried about that, since it's basically nonsensensical text, and with the amount of searching I do, it's going to be buried.

By regularly, I mean about once a month.

There is another layer of protection you can put in place - Google Apps. For many people, spending the $10/year on a private domain with the 10 account limit would be more than sufficient. Allocate one of those accounts to a strictly administrative role with 2 factor authentication. That way, you can self-serve on things like emergency password resets etc.

So Im perplexed about how the gaming XP machine fits in here. I can understand that maybe that machine was used to log into the gmail account once and the auto login would have let the "hacker" in once. How then, if the user changed the password and security questions, etc did this person access the account 2 more times???

They should be asking for certain characters of your password now, to defeat keyloggers. If you've got tons in the cloud, you need bank-level security. If people can cope with it for banking, they can cope with it for gmail.

I sure as hell hope they can't ask for certain positions/characters of my password, as that would imply a non one-way function (ie, hash) applied to the password stored on their servers.

LulzSec has proven why this might be very bad.

I worry about this a fair bit. This is why I am in the process of cloaking my gmail with a throwaway address (ping@namank.com)

And I just suggested gmail this:

----- Gmail runs my life, as it does yours! Yes, I have an alternate email but whoever has my password can change it and then I'm LOST! You need to make this hackproof (yes yes, i know. but please, atleast TRY)

I suggest: -Have a backdoor password. There MUST be a 24-48 hour window between changing the backdoor password and the main password.

-Must be a 24 to 48 hour window between a password change and alternate email change. -----

Just enabled 'Two factor authentication'. Thanks for writing this. Made me realize the loss I would incur if my account gets hacked.

the "last chance form" (or "account recovery exam") really is a hard and impossible to find thingy. Also, I frankly have no idea about when I started using some services, and worst, no clue on how to find out.

> Time now for some damage evaluation. I immediately saw that all contacts had been deleted (annoying but not too bad)

There's pretty much a one-click restore process now: http://i.imgur.com/1EYZ5.png

Please upvote Ryan's advice. Click on Contacts, then look for "More actions," then click "Restore contacts..."

You can find more info about restoring contacts at https://mail.google.com/support/bin/answer.py?answer=1069522... or read the blog post from a few months ago at http://gmailblog.blogspot.com/2010/12/restore-your-contacts....

Not sure why any of these steps should lead you to fear about using Gmail. Hosting your email yourself is almost surely more risky. Those hosting their own email aren't going to have complex password recovery system with the abuse protection that Google's has. There isn't going to be a warning system to alert you that there have been sign-ons from foreign states/countries. There isn't going to be two-auth out of the box unless you install the PAM module.

If your weak link, was, as usual, the human link... I would be inclined to trust a system more catering to (forgive me) ignorant users.

I just worry that the mindset is, "I got hacked because I use Gmail, if I used something else I'd be safer." and I find that logical to be pretty flawed.

Here are some reasons why self-hosted email is a better bet than Gmail:

1. Your self-hosted system will be unique, which means it won't be attractive to phishers (by definition).

2. Because your system isn't a major email service like Gmail, your address won't have the same cachet with other mail services (i.e. auto-whitelisting). Therefore it will be even less of an attractive target to someone attempting to spam. (For the case of criminals attempting social engineering of a contact list, see point 1.)

3. Because Gmail must run mostly without human intervention, you get bad security such as the "last chance" form, in which everything you need to recover the account can be determined by hacking into the account. Self-hosted email won't have this problem, because it will have a human devoted to correcting problems (i.e. you).

There are of course obvious problems with self-hosted email that Gmail doesn't have, but it's not exactly one-sided.

Why would a server that only runs ssh and qmail be less secure than Gmail? Why would I need a password recovery system?

Remember that Gmail had a sysadmin reading the mail of users:


> There isn't going to be a warning system to alert you that there have been sign-ons from foreign states/countries. There isn't going to be two-auth out of the box unless you install the PAM module.

Your points are valid, but why wouldn't these things exist? Doesn't code exist to do this? And if not, is it truly difficult to write?

I'm not saying it's a trivial task, but someone who decides to host their own e-mail would probably be willing to work at it.

Just as a note, Google's "Google Authenticator" app for Android is open-source, supports the open standard for OTOP, and has a free OSS lib for PAM.

Well, they probably do exist, but not as a default install of any webmail client that I've used in the last few years.

If you choose not to use webmail (or run it at just about any URL that deviates from the default) you will be a lot less vulnerable to a whole host of XSS and CSRF attacks.

Every site you visit in a browser can attack every site you're logged into, but they have to know the URL scheme of those logged in sites.

> Every site you visit in a browser can attack every site you're logged into, but they have to know the URL scheme of those logged in sites.

That's assuming nobody uses anti-CSRF measures, right? If I've got an anti-CSRF token on a form, how are you going to attack it? Or what about pages (e.g., change password pages) that require you to enter your password? Certainly you'd need to know more than the URL scheme.

I'm not assuming that nobody uses CSRF protection, but there have been a few high profile driveby attacks against gmail over the years. Presumably future gmail attackers will do the same thing that past gmail attackers did: find a bug.

In the sense that Gmail is a big target, and a self-hosted account is a tiny one, I do understand the feeling that if for no other reason than obscurity, you are safer avoiding the "big names" in any online service.

A paid provider would be more likely to listen to you.

> I was very glad that the "last chance form" did work twice

> That's when I lost the connection again...

hmmm ...

You get what you pay for.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact