…cracked, compromised, stolen, whatever.
The first symptom, as far as you can tell, is probably a bunch of your friends asking you casually, what the kind of crap is that you’ve been sending them. It’s only when you ask them to show you the messages they’re referring to that you realize that some Nigerian, Russian, Chinese, (or, for that matter, American, French, Japanese, what-have-you) son of a bitch controls your account and is blasting out garbage to all your friends.
Even more nefariously, a lot of these are plausible-sounding messages, like one I received recently from an email contact purporting to be stranded in Madrid after his wallet, passport, keys, phone, and plane ticket were stolen, begging his friends to call him on a local number for instructions on how to wire some emergency cash. Frequently, the only thing that gives such messages away at a cursory glance is the piss-poor spelling and grammar used by the scam artists responsible.
This post is sort-of directed at the non-technical people, who maybe don’t check their personal mails all that often. Yes, it’s confusing, and yes, it’s not fair, and yes it’s hard work. So are taxes. If you’re not lucky, not only do all your friends now think you’re an idiot, but all your email has been deleted.
First, see if the mail is still around. Check the trash and ‘all mail’ links. Maybe you’re lucky. Google does not restore deleted mail from backups.
To make sure nobody is able to hack your account again (i.e. with backdoors) go to
Under “personal addresses” go to “email addresses” (top right). Make absolutely sure that any addresses for which password recovery is enabled are only ones you trust. Otherwise an attacker could just say “hey, I want a password reset sent to my address”. Smart attackers leave their own addresses there.
To understand how this could have happened, here are some more common ways in which someone can “hack” your gmail account:
- trojan on your PC
- sniffed password (you do use SSL by default, right? It’s a gmail option to always force SSL)
- sniffer on a shared system (Internet cafe)
- untrusted app
- xss / cookie stealing
That is short for “trojan horses”. These are often self-replicating viruses either downloaded from malicious web sites that were hacked (in some cases you won’t even know, you may be using an older browser like Internet Explorer 6) or via an unpatched Adobe Acrobat, or Flash. May also come from someone attacking your PC by network, say in an Internet cafe. You may not see these; you open up a website like you usually do, but it’s been compromised, and boom, that’s it. Invisible, annoying. Or, your laptop/workstation may be attacked remotely, using a security hole in the operating system.
How to deal with them? Regularly update your browser to the latest version and install operating system security patches. Make sure you have an up to date virus scanner. Do regular scans. Turn on your PC’s firewall (google for Windows firewall or Mac firewall. Both systems have a semi-decent one built in that will at least give you rudimentary protection.) Avoid using open wireless networks and visiting sites you don’t know whenever possible.
You do have a strong password, right? Strong passwords have
- 8 characters or more
- a mix of upper/lowercase letters
- numbers thrown in
- non-alphanumeric characters (e.g. !, ?)
Use mnemonics to more easily remember passwords (Ih8h@ck3rs!) or pass phrases (actual sentences) if a website / application supports them.
Your password can still be stolen by being “sniffed” — this means that you are logging into Gmail without the connection being encrypted. Have you bought stuff online and seen the little lock at the bottom of the page? That means your browser is using encryption to make sure anyone listening in cannot “sniff” your password. SSL, or “secure socket layer” is that little lock on the web browser. To enable it by default in gmail, go to settings->general->browser connection. Set it to ‘always use ssl’
Next, check your applications and make sure there’s only stuff there that you yourself enabled. Delete anything you didn’t.
Lastly, on your gmail main page, go to google labs (the green erlenmeyer flask icon at the top right next to the “settings” link) and make sure that only labs apps you yourself enabled are active. Deactivate all others.
Sniffing on a shared system / Internet cafe
Password sniffing is quite difficult when, say, you’re connecting from home. It is _very_ easy when you are at an Internet cafe. Wireless connections can be encrypted, via WEP or, better, WPA or WPA2, both supported by almost all wireless cards in laptops. If a wireless connection requires a password, it’s usually at least somewhat safe. WEP is not so much safe, but it’s better than nothing. If you are at an Internet cafe using a common PC, you risk that someone will have installed a piece of software that can “read” whatever password info you type (known as a “keylogger“). There are ways to ensure that this doesn’t happen (e.g. the system is reinstalled from scratch after each reboot — not so complex) but that is tough. Your best defense is to buy a small netbook or something and take it with you.
When using an Internet cafe, never click anything that offers to remember password. When you log out, always clear any stored information, e.g. cache, passwords and cookies. Here is a link that explains how on various browsers.
Furthermore, most modern browsers have a feature called “private browsing” or some variation thereof. This means that nothing is stored while you’re online. Use it.
See above with google apps. Also, when you download software or docs, obviously never run/open anything you do not explicitly trust. Have a good virus scanner, run it regularly.
Cross-site scripting (XSS) / cookie stealing
Cookies are bits of information that websites use to remember things about you — for example, when you log into amazon and return later, a cookie is what is placed on your PC to let you auto login again.
These can be “stolen” and used to impersonate you, i.e. when you use an Internet cafe system. To help protect against this, whenever you are done browsing, manually log out of everything, and go to your browser’s “clear history” link (e.g. on Firefox, under tools-> clear recent history).
They can also be stolen while you are online, although that is a bit more complex. XSS is “cross site scripting”, which basically means that if you have a browser open and visit a trusted site in one window and a malicious site in another window (again, the “malicious” site may just have been hacked and not be aware of it) the guy who has taken over the “bad” site can intercept and steal your session with the “good” site. This is probably where most google account hacks come from.
To guard against that, when you log into gmail or another service, make sure it’s the only browser window you have open; don’t multitask with several tabs unless it is to visit sites you know are legitimate.
This can all happen even if you take all due precautions, but it is rare.
Also, regarding passwords, make sure you have a STRONG one. I.e. at least 8 characters, alphanumeric, mixed case, some special symbols thrown in (!?*whatever) and nothing that could be tied to you (name, birthday, etc.) Use a mnemonic (i.e ilikechinese -> 1l1k3ch!n353!)
A precaution: back up your email account. Here are 3 million search results for “gmail backup”.
From my latest victim friend:
Thanks for helping me John – it’s been a fucking nightmare as a freelance writer – I’ve lost so much material!
The same thing can happen with Hotmail, Yahoo!, LinkedIn, Facebook, Plaxo, anywhere you store large amounts of contact info. Standard precautions apply. And as always, nothing is foolproof.