Someone tried to hack into two of my email accounts last night

RainyDay

So I got warning emails and texts from Google last night telling me that somebody had a go at two of my email accounts - one a gmail account, and the other a different domain, hosted by Google/gmail. The wording of the warning message is a bit strange, with the IP address masked out

Hi Rainy,

Someone recently used your password to try to sign in to your Google Account - rainyday@gmail.com.

We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
Saturday, March 22, 2014 5:38:34 PM UTC
IP Address: nnn.nnn.nnn.nnn (nnn-nnn-nnn-nnn-dynamic.b-ras1.prp.dublin.eircom.net)
Location: Dublin, Dublin City, Ireland

If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.

Reset password

Sincerely,
The Google Accounts team

Should I be taking the wording of this message literally, i.e. that someone else actually had my password, for both of these accounts?

I'm guessing that somebody that knows me was having a go at the two accounts. I've changed both passwords, and I've asked Eircom what their process is for investigating such attacks, but is there anything else I can or should be doing about this?

bonzodog2

They just say someone tried, not that they were successful. If they were successful, you prob wouldn't get an email at all. Change the PW if you're worried.

RainyDay

bonzodog2 wrote: »

They just say someone tried, not that they were successful. If they were successful, you prob wouldn't get an email at all. Change the PW if you're worried.

They literally say that somebody had my password - "Someone recently used your password to try to sign in to your Google Account"

So do they really, really mean that somebody used my password?

Mr E

Could be fake. Do you know how to read the headers of the email?

http://news.softpedia.com/news/Fake-Google-Suspicious-Sing-In-Prevented-Emails-Lead-to-Phishing-Site-422210.shtml

RainyDay

Mr E wrote: »

Could be fake. Do you know how to read the headers of the email?

http://news.softpedia.com/news/Fake-Google-Suspicious-Sing-In-Prevented-Emails-Lead-to-Phishing-Site-422210.shtml

Also got a text message to my nominated text account at the same time, so it is genuine. When I logged in to Gmail to check the password, I could see a list of hack attempts yesterday.

Actually, I've realised that they didn't attack two separate email accounts. I got warning messages to my main email AND the alternate email account, but both related to hacking of the main account.

Stuxnet

+1 for 2 step authentication. Also give lastpass a shot also, generate some random long 30 character obscure password for your accounts, you wont need to ever remember a password again, (bar your master password)...peace of mind !

SpaceTime

The two step authentication works very well but, they're are some implementation glitches in it for certain Google services.

I had major issues with it when I changed to a new Android phone. Gmail couldn't seem to authenticate and I had to turn it off and back on again then input new passwords for my Mac and other devices.

It's good though, just not perfect.

oscarBravo

You can generate one-time passwords for anything that doesn't cope well with two-factor auth. It definitely adds a minor layer of inconvenience, but as a security/convenience tradeoff it's a no-brainer for me.

SpaceTime

oscarBravo wrote: »

You can generate one-time passwords for anything that doesn't cope well with two-factor auth. It definitely adds a minor layer of inconvenience, but as a security/convenience tradeoff it's a no-brainer for me.

Yeah I know that but, Android didn't cope well! I had major issues with my HTC One for some reason.. Might try again now that I'm on 4.4.2

RainyDay

Thanks for the suggestions. I saw the two-factor thing while I was in the Gmail security settings, so I'll go back and have a further look at that. I mostly use Gmail via Outlook at home and via the Android app when on the move. Can I expect the two-factor thing to work smoothly with both of those?

Interestingly, my initial question was actually aimed at another aspect of the problem. I was wondering what I can reasonably do to follow up or report or investigate the fact that somebody has had a go at me. It looks they haven't made much effort to mask the IP address of the attack. Google Maps is giving me a fairly specific location for that IP address, though I'm not sure if the location relates to the end user, or the Eircom exchange or what. It's just a suburban street address.

Either way, is there anything more I can do with Eircom or Gardai or whoever to see that the attempted attack gets investigated and followed up?

SpaceTime

Basically you download an app to your Android or iPhone.
You set up the 2-step access on Gmail.

Some apps will automatically work with it i.e. Google stuff on your android phone usually.

For others, you can generate an app specific password. You'll quite likely have to do that for Outlook (probably for incoming and outgoing servers separately too). It's a minor annoyance but it's once off.

In my case, I'd an issue with an older version of Android. Current ones should be fine.

SpaceTime

RainyDay wrote: »

Either way, is there anything more I can do with Eircom or Gardai or whoever to see that the attempted attack gets investigated and followed up?

You could do, but the simplest solution is to secure your account.

It could simply be someone with a similar user name trying to login too.

I just re-activated 2-step verification on my accounts (your thread reminded me!) and it was pretty painless with Android 4.4.2 anyway.

You just need to log in once and the apps on the phone figure it out.

There's an Authenticator app that generates tokens to log in with.

FSL

I don't use anything from google apart from the search engine so I'm not familiar with gmail.

What seems strange is that if two factor authentication was not set up how could Google know that whoever entered the correct password was not the account owner?

ifah

No chance of getting the guards to look into it and eircom won't do anything without a court order. All the guards might (will) do is create a record on Pulse and it'll drop onto the list for computer crime unit behind every murder,bank robbery, serious incident etc .... that needs their help.

SpaceTime

Main thing is to re-secure your account.

Did you log in from a public computer or at work or anything like that?

It could also be spam of some sort and a fake message.

Check the headers carefully!

Blowfish

RainyDay wrote: »

Thanks for the suggestions. I saw the two-factor thing while I was in the Gmail security settings, so I'll go back and have a further look at that. I mostly use Gmail via Outlook at home and via the Android app when on the move. Can I expect the two-factor thing to work smoothly with both of those?

Yep, it should do. Basically you 'authorise' devices/apps once and can use them without 2 factor from then on, so aside from the minor extra inconvenience at the start and when adding new devices/apps, it works completely smoothly.

RainyDay wrote: »

Interestingly, my initial question was actually aimed at another aspect of the problem. I was wondering what I can reasonably do to follow up or report or investigate the fact that somebody has had a go at me. It looks they haven't made much effort to mask the IP address of the attack. Google Maps is giving me a fairly specific location for that IP address, though I'm not sure if the location relates to the end user, or the Eircom exchange or what. It's just a suburban street address.

Eircom will have a block of IP's all pointing at that address, so they are the only ones who will legitimately know who had it at any given time. As above though, they (quite rightly) aren't going to release that unless they get a court order to do so. I'm no lawyer, but given that Gmail blocked the access the Gardai are unlikely to be able to do anything as technically nothing was accessed that shouldn't have been, despite them somehow having your password.

FSL wrote: »

What seems strange is that if two factor authentication was not set up how could Google know that whoever entered the correct password was not the account owner?

Similar to credit card companies, Google will block anything they consider 'unusual activity'. The most obvious example of this is location, if your Gmail account is normally used in Ireland, but then within a few minutes of logging into it here, someone tries to log into it from say China, there's something odd going on so they'll block it. What criteria they used in this instance would be interesting to see though as it was blocked from Dublin.

RainyDay

SpaceTime wrote: »

It could also be spam of some sort and a fake message.

Check the headers carefully!

The text message warning at the same time is pretty good proof that it is a legitimate message from Google.

Blowfish wrote: »

Yep, it should do. Basically you 'authorise' devices/apps once and can use them without 2 factor from then on, so aside from the minor extra inconvenience at the start and when adding new devices/apps, it works completely smoothly.

Thanks, I'll check that out.

Blowfish wrote: »

Eircom will have a block of IP's all pointing at that address, so they are the only ones who will legitimately know who had it at any given time. As above though, they (quite rightly) aren't going to release that unless they get a court order to do so. I'm no lawyer, but given that Gmail blocked the access the Gardai are unlikely to be able to do anything as technically nothing was accessed that shouldn't have been, despite them somehow having your password.

I know Eircom aren't going to give me any information. I was hoping that they might do a 'one strike' warning of some kind on the hacker, to let them know that somebody is watching over them.

Blowfish wrote: »

Similar to credit card companies, Google will block anything they consider 'unusual activity'. The most obvious example of this is location, if your Gmail account is normally used in Ireland, but then within a few minutes of logging into it here, someone tries to log into it from say China, there's something odd going on so they'll block it. What criteria they used in this instance would be interesting to see though as it was blocked from Dublin.

Yeah, would be interesting to know the criteria. The message does say that someone 'used my password' - does that mean that they actually knew my password, or they tried to login with a wrong password. If they actually knew my password, why would Google block them?

RainyDay

Thanks for the feedback folks. I've reported it to Eircom now, so it will be interesting to see what they come back with.

It's important to me that they 'mark the cards' of the attacker, by letting them know that their actions have been noted. If it happens again, at least there will be a previous record available for any further investigation.

SpaceTime

Are you 100% sure it's not your own IP address?
I'm not trying to be funny it anything, but eircom have been shifting around IP assignments in recent months due to major network upgrades.

I had a similar situation which was caused by a saved old password on a browser and an unfamiliar IP range on eFibre

RainyDay

SpaceTime wrote: »

Are you 100% sure it's not your own IP address?
I'm not trying to be funny it anything, but eircom have been shifting around IP assignments in recent months due to major network upgrades.

I had a similar situation which was caused by a saved old password on a browser and an unfamiliar IP range on eFibre

Interesting point - I don't have Eircom at home, but there is one Eircom router in work that I do use. But the building would have been locked up at the time of the hack, so unless a work laptop went a bit mad for a few hours, and then stopped?

SpaceTime

RainyDay wrote: »

Interesting point - I don't have Eircom at home, but there is one Eircom router in work that I do use. But the building would have been locked up at the time of the hack, so unless a work laptop went a bit mad for a few hours, and then stopped?

Meteor / Emobile could possibly show up as eircom too if you're using them and quite a lot of public wifi hotspots (other than just the eircom ones) use eircom ADSL/VDSL for connectivity too.

rolion

I've setup long time ago, few Gmail accounts for each of my mobile device such as :

my ACER tablet was [email]acer4me_at_gmail.com[/email]
my ASUS tablet was [email]asus4me_at_gmail.com[/email]

and so on for my car, phone...

Recently, i had to login to retrieve silly code for an application.
Wasn't sure of the correct email address used and I've tried few until I got the right one !

Reading and living your experience...I cant imagine the poor guys that unfortunately had/have same address the reaction they have to the message received re some trying to hack in to their account !

Roquentin

Lads i got this email off google as well today. Saying someone from america had my password and tried to hack into my account. Changed the password. and using the two step thingy now.

Pointless really as i have nothing of note on the email.

Just wondering though, how did this hacker get my password?

SpaceTime

Two step verification's actually pretty rock solid way of ensuring this can't happen.

Just change all your passwords if you're that worried and set it up.

Roquentin

SpaceTime wrote: »

Two step verification's actually pretty rock solid way of ensuring this can't happen.

Just change all your passwords if you're that worried and set it up.

But how did they get my password?

syklops

Either way, is there anything more I can do with Eircom or Gardai or whoever to see that the attempted attack gets investigated and followed up?

You'd be as well off going to mass and telling your story to the priest in the confessional for all you will get out of Eircom and the Gardai. Not entirely their fault. If I was attempting to breach your account I wouldnt do it from home. I'd do it using next doors wireless, or the one in Starbucks.

Roquentin

syklops wrote: »

You'd be as well off going to mass and telling your story to the priest in the confessional for all you will get out of Eircom and the Gardai. Not entirely their fault. If I was attempting to breach your account I wouldnt do it from home. I'd do it using next doors wireless, or the one in Starbucks.

This guy with me was over in kentucky, so no use with the gardai:D

SpaceTime

Roquentin wrote: »

But how did they get my password?

Guessed it, or intercepted it somehow. Or, it could be spam and a fake warning.

All you can realistically do is lock the account again. There's very little the Gardai can do.

You should report it to Google though if it's a Gmail issue.

You shouldn't use passwords that are short or easy to guess as they can be basically guessed by a brute force attack. That's prevented as Google will usually lock an account after X bad password attempts, but it's not beyond the realms of possibility that it's just been guessed.

If you used your password on a PC that was compromised somehow with a key logger or various trojans and viruses it could have been captured.

You should start by implementing 2-step verification immediately as that's actually not entirely dependent on your password.

After that, scan all your PCs for malware and make sure your not using dodgy non-Play Store apps on your Android phone.

There are plenty of places your password could have been intercepted : Unsecured PC with malware on board or a dodgy Android phone that's had its security systems overridden.

Roquentin

SpaceTime wrote: »

Guessed it, or intercepted it somehow. Or, it could be spam and a fake warning.

All you can realistically do is lock the account again. There's very little the Gardai can do.

You should report it to Google though if it's a Gmail issue.

The message itself was legit. GMAIL sends them out if you try to use another computer in another country across the ocean to get into your account.

Do you know for certain whether the hacker had my actual password or whether he was just trying different combinations?

SpaceTime

Roquentin wrote: »

The message itself was legit. GMAIL sends them out if you try to use another computer in another country across the ocean to get into your account.

Do you know for certain whether the hacker had my actual password or whether he was just trying different combinations?

Gmail won't allow you to keep making password attempts it'll lock you out. I would suspect you've entered your password on a compromised PC or Android phone.

Did you user your Gmail on any unfamiliar devices recently ? Internet Cafe computers, someone's laptop etc?

Is your PC definitely virus-free?

You could quite easily have a key logger or something on your machine.

I would suggest running a full virus scan and changing ALL your passwords from a PC or Mac that's known to be secure and safe i.e. running the latest version of Windows or Mac OS X, updated and if it's Windows in particular running a virus scanner with updated definitions.

Particularly change passwords for anything financial like PayPal that uses very simple user name + password combinations.

Setup 2-step verification on everything else that has it.

Roquentin

SpaceTime wrote: »

Gmail won't allow you to keep making password attempts it'll lock you out. I would suspect you've entered your password on a compromised PC or Android phone.

Did you user your Gmail on any unfamiliar devices recently ? Internet Cafe computers, someone's laptop etc?

Is your PC definitely virus-free?

You could quite easily have a key logger or something on your machine.

I would suggest running a full virus scan and changing ALL your passwords from a PC that's known to be secure and safe. Particularly anything for Paypal etc.

Maybe the phone. That may be the weak link. Im not great at computers so, but i have avg and kaspersky anti virus and i would be careful about what i go onto on my computer. usually google news, sky news, amazon, a few forums. Legit stuff.

How would i check for key logger?