TLDR; My Gmail and Google Apps accounts were hacked recently but I could establish my identity, Google restored access in the next three hours. Here are lessons learned and tips that might prevent your Gmail and other Google Accounts from getting hacked.

I frequently get “password assistance” emails in my Gmail inbox that have a link to reset the password of my Google Account. Since I don’t initiate such password change requests myself, it’s clear that someone else is trying to hack into my Google account.

I generally ignore such emails as they also say:

If you’ve received this mail in error, it’s likely that another user entered your email address by mistake while trying to reset a password. If you didn’t initiate the request, you don’t need to take any further action and can safely disregard this email.

I got a similar email yesterday night and ignored it as usual. In the next five minutes, there was a message on my BlackBerry saying that the device is having trouble fetching emails from my Gmail and Google Apps account. Microsoft Outlook too had stopped working by then.

Things were now no longer in my control. Someone had successfully managed to change the password of my Gmail account, my Google Account and the most terrifying part was that the hacker also gained control over my Google Apps Account which is linked to labnol.org and other web domains.

When something like this happens, you tend to get that ‘sinking feeling’ because now all your private information (email correspondence, documents, bank statements, photographs, etc.), your identity on the social web (Twitter, Facebook, Blogger, etc.) and, most important, your online business is not in your hands anymore.

I make a living from this blog but if someone else takes control of the site (by changing a couple of passwords and DNS records), the going can get really tough.

How the Google Accounts were hacked and recovered?

I use a fairly strong password so it can be tough for someone to guess that string. And since I got a password reset email request in the first place, the possibility that the password was cracked can be safely ruled out.

I don’t use Gmail from any public terminal (therefore safe from password stealing keyloggers) and have never clicked on links that may point to a fake Google login page (so no phishing attack either). You cannot associate a “security question” with non-Gmail Google accounts so the possibility that the “security question was weak” is also ruled out.

My assumption is that since my Gmail account is was set as the secondary email address of my Google Apps account, he (or she?) somehow hacked into the Gmail account and from there he gained control of my other Google Accounts. This seems probable but I am not sure.

As soon as I discovered that the accounts were hacked, I posted a message on Twitter, contacted a couple of people at Google and filled up some recovery forms in order to verify ownership. I consider myself lucky because several people went out of their way to help me and access to all the accounts was finally restored in the next 3 hours. The nightmare was over.

Things to do before the hackers strike again!

I won’t ever know who that hacker was except that he left a brief message in my Inbox saying that he didn’t hack my Google account with bad intentions and that he “enjoys exploring the web for vulnerabilities”. The note also says that he is in need of urgent money and asks for a specific amount.

Anyway, here a few important things that I have learned in the process that you might want to implement at your end as well though it’s hard to tell if one can really prevent a determined hacker from stealing your Google accounts.

How to Protect your Gmail & Google Accounts

#1. Log-in to your Gmail / Google Account and associate a phone number. This is useful because you’ll then receive an SMS text message whenever someone tries to recover your Google password.

#2. Create a new email address (on say Yahoo! Mail or Gmail itself) and set this as the secondary email address for your existing Gmail and Google Accounts. Check for emails on this new account manually or through a desktop client via POP3 / IMAP but do not enable auto-forward for the new email address as the original purpose will be defeated.

#3. Take a paper and write down the following information about your Google Account. You will need this to verify your identify to Google in case someone else takes over your Google Account and the secondary email address associated with your account.

  • The month and year when your created your Gmail / Google Account. You can look at the last page of your Gmail Inbox (or go to Sent Items) to get an approximate idea of the date when you created the account.
  • If you created a Gmail account by invitation, write the email address of the person who first sent you that invite for Gmail. Use a search query like “in:all has invited you to open a free Gmail account” to find that invitation email.
  • The email addresses of your most frequently emailed contacts (the top 5).
  • The names of any custom labels that you may have created in your Gmail account.
  • The day/month/year when you started using various other Google services (like AdSense, Orkut, Blogger, etc.) that are associated with the Google account that you are trying to recover. If you’re not certain about some of the dates, provide your closest estimate*.
[*] For Analytics, look at the first date when it started collecting stats for your website(s). For Orkut, look at the last page of your scrapbook. For AdSense, you may take the help of your AdSense account manager.

#4. It goes without saying but do not use the same password for your main Google / Gmail account and your secondary email address.

#5. If you access Gmail and other Google services over a Wi-Fi network, make sure that you always use the secure URLs like https://gmail.com. Go to Gmail settings and set ‘Browser Connection’ to ‘Always use https.’ This might make your Gmail access a bit slower but your account will be more secure.

#6. Once in a while, do refer to that little line in the footer section of your Gmail Inbox that shows the different IP addresses from where your account is being accessed. If you find an unknown IP address, change your Google password immediately. The person who hacked my Gmail accounts configured them with his Hotmail account so he could effectively read all my email communication remotely from his Hotmail inbox without ever logging into my Google account again. I could figure that out only after I saw an IP address from a Microsoft server in my Gmail activity log.

#7. You should also consider copying emails from Gmail to another service (like Yahoo! Mail or Hotmail – it is effortless) so when your Gmail account is compromised, you at least have access to all your previous emails. Or you can configure a desktop email client like Outlook or Thunderbird with your Gmail account (via POP3 or IMAP) and thus you’ll have an automatic offline backup of your Gmail Inbox.

#8. Do a test run. Log-out of all your Gmail / Google Accounts and initiate the password recovery process for each one of them using this form. This will help you make sure that your SMS settings and secondary email addresses are configured correctly.

For Google Apps users

#9. You should always have a public email address on your website that others can use to contact you directly. This public email address will also help people find and connect with your on social networks like Facebook, LinkedIn, etc. However, you should make sure that you don’t provide administrative privileges to this email address in Google Apps because if someone hijacks this account, he will effectively take over your Google Apps domain. Create a new user in Google Apps as an administrator and never share this username with anyone else.

#10. If you have lost access to your Google Apps dashboard, you’ll have to create a new CNAME record pointing to google.com to verify that you are actual owner of that web domain. To reset the password for the administrator of your Google Apps domain via your domain hosting company, the URL is:

https://google.com/a/cpanel/xyx.com/VerifyAdminAccountPasswordReset

 

[*] Replace xyz.com with your own domain address.