Your Gmail is Hacked…What’s Next
Most of you know Marc & I run a business online and because of that business we are open to jerks on the internet trying to hack our accounts. I’m creating this post out of shear frustration with how this system currently works and how one compromise can tumble the deck of cards to the ground.
So if you’re like most people, you are using gmail for your email. Gmail has always been free (with the exception of purchasing additional storage) since it is supported by ads, as well as basically data mining your emails (I’m sure they call it target marketing). If you’ve ever lost your gmail password or god forbid been hacked, you already know the process of getting this straightened out is a nightmare. So I’m going to run down a checklist of sorts to maybe help you if this happens to you.
Before I start, I want to say one of the best websites out there for trying to weed through all the website contact BS is called GetHuman; use it, you will be glad you did.
Step 1: You realize your gmail might have been hacked (denial will set in a this point, because you’ve been so careful)
Step 2: You think maybe I just ‘forgot’ my password and look for the Password Recovery Page
Step 3: Google sends back the following response when you try and reset your password and you know you didn’t associate a yahoo/hotmail/msn account to your gmail account (this is where you start to freak out)
To initiate the password reset process, please follow the instructions sent to your ******@yahoo.com email address. If you don’t have an alternate email address, or if you no longer have access to that account, please try to reset your password again after 24 hours. At that point, you’ll be able to reset your password by answering the security question you provided when you created your account.
We use the security question for account recovery only after an account has been idle for 24 hours. We do this to prevent someone else from taking over your account.
If you’re unable to answer your security question or access your recovery email account, please complete this form. If you’re concerned about the security of your account, please visit our Security Center.
Step 4: Immediately begin searching for an actual phone number to call customer support (see above about gethuman), realize 30 minutes later, there isn’t one. Your ONLY option is to fill out this form and say your account has been compromised. Fill out as much information as you can on this form. They say it will take 24 hours for a response, but with all of this said, WTF Google? I get it, we have a “I use you, you use me kind of relationship”, but when I’ve trusted you with some pretty damn important information, don’t make me wait 24 hours for just a response. I’ve had people say well you get what you pay for. Really? is that the acceptable response?
Step 5: Create or use an existing email that you know is secure. If you don’t have one, make one (in fact it’s probably better that you do create a new one) This is the email you will use for the accounts that haven’t yet been compromised. The problem is now if you change your password on any service you’ve used the hacked email, guess what, that change is going to be sent to the hacked email account! So have that backup email to use when changing the information on accounts that have not yet been hacked. Also make sure you have a secure password on your accounts. Not sure what a secure password looks like? Test it here Update: we decided to invest in a one password system for the Mac called 1Password. It gets high praises from a number of our friends and colleagues, plus there is an iphone app too! I know there are PC based password systems, but I’m not familiar with them. If you use a good PC password management system feel free to post it in the comments below.
Step 5: Start contacting all of your financial accounts that you’ve linked this email. That includes Paypal, Banks, Credit Cards, etc. I will say that working with Paypal & Bank of America has been the best so far. Paypal let us know that the person had transferred $3000 out of our account, but since we called them, they said the transfer would not occur since it was now unauthorized. I also worked directly with BoA and shutdown all online accounts. The alternative email will come in handy for any of these services once they verify you are who you say you are. What this whole thing is boiling down to is a big pain in the ass.
Step 6: Go through a list of all the services you have used this email with and change the email and the password. Services like iTunes, WordPress, Amazon, Twitter & Facebook. (I’m still racking my brain thinking of sites that I might have missed)
Step 7: Wait. I’m finding this to be the hardest part. I feel like there are things I can be doing, but I can’t actually think of anything more to do.
Step 8: Evaluate a service like LifeLock. I’m not sure if email hack is part of their service, but it’s worth checking out. Think of anything that might be in your email that could be used for identity theft. Do you have your social security listed in an email or if you’re using Google’s other services like Docs what is listed in there?
Step 9: Find out if your financial service offers authenticators. Both Paypal & Bank of American offer these. You can order the Paypal security key authenticator for $5 & Bank of America offers SafePass for $19.99. They both work similar to the authenticator that people use in World of Warcraft. This is your money that we are talking about here, so take the measures to secure it as much as possible!
Well for now, this is all I got. If you’ve been through this and have additional things to share please feel free to add them to the comments below. Thanks for ‘listening’ to me rant
Update: We received confirmation from Google that they re-enabled the account to the safe email that I created. Total time it took 6 hours for them to investigate and reset the secondary email. I believe it is critical to provide the information they ask for: 5 emails of people you email frequently, 5 labels you’ve create on the account and the estimate month and year the email account was created.