The spam-blocking technology in Gmail is fairly effective, but that doesn’t mean spammers and criminals don’t want to use Gmail to send dubious messages. A blog post from Google notes a dramatic increase in attempts to hijack individual accounts.
“We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time,” Google security engineer Mike Hearn wrote in the post. “A different gang attempted sign-ins at a rate of more than 100 accounts per second.”
Those attempts have been thwarted due to a range of controls in Google’s systems. As well as encouraging the use of two-factor authentication (something we definitely recommend), Google checks any login attempt against its existing knowledge of how your account is used.
“Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you,” Hearn wrote. “In fact, there are more than 120 variables that can factor into how a decision is made.”
An update on our war against account hijackers [Official Google Blog]