Gmail Account Hacks

It seems that sometime within the last 12 hours there has been a widespread attack against Gmail.  I first noticed an issue last night around midnight when Outlook kept telling me it could not connect to send outbound email.  It popped up the login box twice, and then I went to Gmail to investigate.  By the time I tried logging in there everything worked fine, and then I was able to send the email via Outlook.  A temporary glitch?

This morning I got an email from my brother in law stating that when he logged into his Gmail account this morning he got a message reporting suspicious activity.  He changed his password, but has not noticed anything else out of the ordinary.  Given the circumstances, I decided to go hunting for any news on this topic, but there does not seem to be any unless you head over to the Gmail support forums
In my case, it seems my account may have been locked for a brief period.  For a lot of other people though, the attackers were able to actually access their Gmail accounts.  Here are some of the salient details based on combing through a few of the recent forum postings:
  • When the attackers are successful they will probably: 
    • Access the account and change the password and security questions.
    • Look through your email to see if there are details related to other accounts which they will then use to compromise those (this includes other email accounts, blog accounts, etc).
    • Start sending spam to your contacts.
    • Delete all your email messages.
    • Send spam to all your contacts.
  • When the attackers are unsuccessful:
    • Gmail will likely you warn you of suspicious activity upon your next login.
    • Show that your account has been accessed by odd IP addresses (ie- you are in London, but suddenly a US IP tried to access it).
  • There is also a specific financial scam which has accompanied this attack.  Many users are receiving emails purportedly from Google which state they have won some sort of Gmail Promotional Competition.
It could be that there is a malware outbreak, and the affected users are having their account passwords captured.  However, since some users are being notified of “suspicious activity” while other are having their accounts actually compromised, that doesn’t seem to be the case.  My best guess would be that this is a widespread brute force attack.  In fact, if I were the attacker I would have a very simple list of passwords- maybe the top 100 most common- and would iterate all usernames against those passwords in turn.  This sort of brute force attack can be very effective when attacking a large population where it is highly likely you’ll come across several accounts using those weak passwords.
In any case, if you have been affected, read this article on what your response should entail.  Also, you can turn to the Gmail support forum.

What are the takeaways you should get out of this?  Simple, the more important your account, the stronger your password should be.  If you don’t use the account for anything other than signing up for free promotions then use abc123 as your password.  However, if you use it as your daily email, then make it good.  And if you also happen to have Picasa, a Blogger site, and some other Google services tied to the same account, then make sure the password is so difficult to remember and type that you even have to look it up yourself every time you use it.

Unfortunately most people fall prey to the password paradox.  This is the problem that stems from the fact that any person alive today has literally 20 or more accounts which require a password.  That is a lot of passwords to remember, and your password needs to be 8+ characters long, and should be composed of letter, numbers, special characters, and ancient sanskrit characters.  How do you remember all 25 of those bits of gibberish?  You don’t.  You make all your passwords the same.  Admit it.  It’s okay.

Well, now you’ve really upped the ante.  When your Gmail account gets hacked, there is likely an email somewhere deep down in that 2GB data mine you call your Gmail account which discloses which bank you use.  You’re using the same password there as you are for Gmail.  All the attacker needs is your username, which is probably either your email address or just the name portion of it, or is retrievable from the banking application using the compromised Gmail account.

So, simply stated the password paradox is an inverse relationship between the effectiveness of a password and its ease of use.  Manifested in everyday life it is the thing that pushes you to use the same password on multiple accounts or to make your passwords easy to remember/type despite the fact that everyone tells you that’s a bad idea.

What gets lost in these sorts of email account attacks is the potentially devastating impact they can have on individuals.  Your emails have been deleted, who knows what the attacker is doing with the 5000 photos you had on Picasa or flickr, and now they can use the blog you’ve invested so much time in building up (which may be a key part of your business) to cause serious damage to your reputation.  And that’s before we even get into an evaluation of the financial impact.

In the end, I think the real answer has to be something better than passwords.  It is simply unsustainable to have to track so many complex strings.  We’re always going to see news items like this as long as we are relying on them.  The issue is, how do we move to some sort of widespread adoption of smart cards or certificates across so many disparate applications?  In the meantime, I would recommend the following:

  • Use something like KeePass to store your passwords.  Do not write them down, and do not keep them in a “hidden” Word document on your computer.  Keep them in a utility like this which implements strong encryption, and has been reviewed and scrutinized by the community.  And for the love of all things holy, make sure the password to access the KeePass database is STRONG- it protects all your other passwords.  Use a phrase of at least 16 characters using upper and lower case letters, numbers, special characters, and spaces.
  • Assess the criticality of your accounts.  If you have some accounts for an email account you don’t care about, accessing the web site of the local newspaper, and some other unimportant stuff, then sure- use the same password for all those.  But for your important email account, Facebook, and other personal sites use different passwords.  And your financial sites should always use the strongest passwords which aren’t reused on anything else.
  • Now that you probably can’t remember all your account passwords, and you’re relying on a utility to access them, make sure you are backing up the KeePass database once in a while!
  • Remember that once your machine is compromised by malware all bets are off.  That malware will log the keystrokes to capture your KeePass password or the password of any other application you use.  Then it doesn’t matter how strong they are or that they are all different.  Protecting yourself from malware is a whole other article though.