Around my house, hacked email accounts were something that happened to other people—relatives with weak passwords, generally, or TV current affairs story subjects. Until yesterday, when my wife emailed everybody about "gps ,TV LCD,cell phones ..."
She didn't really blast-mail everyone about a spammy electronics site, of course—whoever broke into her Gmail account did. They also changed her signature to incorporate the same poorly-worded pitch, and turned on a vacation auto-responder to reply with the same. The mailings and confused replies started at 12:49 p.m., and we had her account cleaned out and, thankfully, password changed by 1:10 p.m. But we both learned a few important lessons about email security, and dealing with lapses in it, during the short but intensely aggravating break-in.
The first was that we had no idea how someone got her password and got into her account. Her old password wasn't up to NSA standards, but it was a phrase not found in a dictionary with a few numbers after it, which we'd both figured was good enough for a site run by a legitimate firm like Google. Our home wireless network is encrypted (WPA2) and restricted by MAC hardware addresses, so it's doubtful it came up there. Still, though, somebody we didn't know got in, and we could only guess at a few possible causes:
- "Open" wireless networks: Often times, my wife or I will jump onto a random, non-secured wireless point from my iPod touch or one of our laptops to check email. While we were on vacation in Europe recently, this was definitely a daily occurence.
- Staying logged in on other computers: Friends and relatives are often nice enough to let us log into our Gmail accounts on their own desktops or laptops. If they don't have their own accounts with the big G, and we forget, we could stay logged in on their systems long after we leave.
- Phishing attack: The wife uses Internet Explorer 7 on an up-to-date Windows XP system, so there is supposedly both an anti-phishing tool and firewall to prevent sites from pretending to be a Gmail log-in screen or key-logging her. Still, though, a distracted mind might not notice a single curious link.
- The password just wasn't good enough: Entirely possible, if someone hit on the right combination of username and password, or perhaps tracked it back from being used in similar form on another, less-secure site (which my boss definitely recommends against.
Then there's just general fears about net security and passwords. A few domain administrators fell victim to email-related attacks recently, and being unable to convince my wife to switch browsers leaves me regularly concerned.
But there's no real way, it seems, of knowing how her password got out, and so it's just an embarassing fluke for my wife, and her tech-obsessed husband is more than a little red-faced as well. And one feels seriously vulnerable knowing that someone with experience busting into webmail accounts had access to years of messages. But in dealing with the break-in, we've picked up a few good practices to deal with, and hopefully prevent, something similar happening in the future.
Clean out your contacts: Assuming the hacker(s) really did just want to get their stupid link in everyone's face, the worst part of the experience for my wife was having to send out an email to everyone in her contacts, since the hacker hit everybody in her "suggested" contacts (people she's emailed at least once, auto-saved by Gmail) with the spam. That meant people she'd only mailed once or twice for online auctions, lost acquaintances she hadn't planned on chatting with again, relatives, in-laws—you name it. I'm definitely weeding through my own contacts now, deleting anyone I really don't email anymore, and who I certainly wouldn't want to spend time replying to after receiving a message akin to "What is this? Who are you?"
Be short, but courteous, in your clean-up email: After quickly changing the account password and turning off all the trickery, I set up an email with everyone in her contacts put into the BCC field. We spent a good ten minutes thinking of ways to explain, apologise, and maybe elicit sympathy, but realised that people had already been annoyed once, so a quick message was best: Account compromised, don't click that link, apologies, thanks.
Use Gmail's mass sign-out tool: I knew about Gmail's multiple session info and remote sign-out tool because, well, I write for Lifehacker. My wife didn't, however, and it would've come in handy whenever she thought she might've been signed in elsewhere. And had I thought to screenshot the session info during the break-in, I might've had some help in figuring out where the compromise came from.
Keep passwords and accounts out of your email: Luckily, a few quick searches reveals that my wife never sent an account password, or even account number, over her email. The seemingly unlimited storage and search-ability of Gmail makes it a tempting place to stash your life's details, but once someone gets in, that can work against you in some pretty dire ways.
https:// connection: This goes for Gmail or any other webmail account. In Gmail, switching to the encrypted version is a setting on the first page of your "Settings." If you're using a Google Apps account that doesn't have that ability enabled, try our Better Gmail 2 Firefox extension, which can force it.
That's my little morning tale of woe and warning. Have you ever had your own or friends' accounts, email or otherwise, compromised? What did you learn from it? Got suggestions for a non-tech-obsessed spouse in building better security into their day? Tell it all in the comments.