Home » Help » Your Gmail is Hacked…What’s Next

Your Gmail is Hacked…What’s Next

Most of you know Marc & I run a business online and because of that business we are open to jerks on the internet trying to hack our accounts. I’m creating this post out of shear frustration with how this system currently works and how one compromise can tumble the deck of cards to the ground.

So if you’re like most people, you are using gmail for your email. Gmail has always been free (with the exception of purchasing additional storage) since it is supported by ads, as well as basically data mining your emails (I’m sure they call it target marketing). If you’ve ever lost your gmail password or god forbid been hacked, you already know the process of getting this straightened out is a nightmare. So I’m going to run down a checklist of sorts to maybe help you if this happens to you.

Before I start, I want to say one of the best websites out there for trying to weed through all the website contact BS is called GetHuman; use it, you will be glad you did.

Step 1: You realize your gmail might have been hacked (denial will set in a this point, because you’ve been so careful)
Step 2: You think maybe I just ‘forgot’ my password and look for the Password Recovery Page
Step 3: Google sends back the following response when you try and reset your password and you know you didn’t associate a yahoo/hotmail/msn account to your gmail account (this is where you start to freak out)

To initiate the password reset process, please follow the instructions sent to your ******@yahoo.com email address. If you don’t have an alternate email address, or if you no longer have access to that account, please try to reset your password again after 24 hours. At that point, you’ll be able to reset your password by answering the security question you provided when you created your account.

We use the security question for account recovery only after an account has been idle for 24 hours. We do this to prevent someone else from taking over your account.

If you’re unable to answer your security question or access your recovery email account, please complete this form. If you’re concerned about the security of your account, please visit our Security Center.

Step 4: Immediately begin searching for an actual phone number to call customer support (see above about gethuman), realize 30 minutes later, there isn’t one. Your ONLY option is to fill out this form and say your account has been compromised. Fill out as much information as you can on this form. They say it will take 24 hours for a response, but with all of this said, WTF Google? I get it, we have a “I use you, you use me kind of relationship”, but when I’ve trusted you with some pretty damn important information, don’t make me wait 24 hours for just a response. I’ve had people say well you get what you pay for. Really? is that the acceptable response?

Step 5: Create or use an existing email that you know is secure. If you don’t have one, make one (in fact it’s probably better that you do create a new one) This is the email you will use for the accounts that haven’t yet been compromised. The problem is now if you change your password on any service you’ve used the hacked email, guess what, that change is going to be sent to the hacked email account! So have that backup email to use when changing the information on accounts that have not yet been hacked. Also make sure you have a secure password on your accounts. Not sure what a secure password looks like? Test it here Update: we decided to invest in a one password system for the Mac called 1Password. It gets high praises from a number of our friends and colleagues, plus there is an iphone app too! I know there are PC based password systems, but I’m not familiar with them. If you use a good PC password management system feel free to post it in the comments below.

Step 5: Start contacting all of your financial accounts that you’ve linked this email. That includes Paypal, Banks, Credit Cards, etc. I will say that working with Paypal & Bank of America has been the best so far. Paypal let us know that the person had transferred $3000 out of our account, but since we called them, they said the transfer would not occur since it was now unauthorized. I also worked directly with BoA and shutdown all online accounts. The alternative email will come in handy for any of these services once they verify you are who you say you are. What this whole thing is boiling down to is a big pain in the ass.

Step 6: Go through a list of all the services you have used this email with and change the email and the password. Services like iTunes, WordPress, Amazon, Twitter & Facebook. (I’m still racking my brain thinking of sites that I might have missed)

Step 7: Wait. I’m finding this to be the hardest part. I feel like there are things I can be doing, but I can’t actually think of anything more to do.

Step 8: Evaluate a service like LifeLock. I’m not sure if email hack is part of their service, but it’s worth checking out. Think of anything that might be in your email that could be used for identity theft. Do you have your social security listed in an email or if you’re using Google’s other services like Docs what is listed in there?

Step 9: Find out if your financial service offers authenticators. Both Paypal & Bank of American offer these. You can order the Paypal security key authenticator for $5 & Bank of America offers SafePass for $19.99. They both work similar to the authenticator that people use in World of Warcraft. This is your money that we are talking about here, so take the measures to secure it as much as possible!

Well for now, this is all I got. If you’ve been through this and have additional things to share please feel free to add them to the comments below. Thanks for ‘listening’ to me rant 🙂

Update: We received confirmation from Google that they re-enabled the account to the safe email that I created. Total time it took 6 hours for them to investigate and reset the secondary email. I believe it is critical to provide the information they ask for: 5 emails of people you email frequently, 5 labels you’ve create on the account and the estimate month and year the email account was created.

, ,

17 thoughts on “Your Gmail is Hacked…What’s Next

  1. Nate (@theyurtingyeti) says:

    Sorry to hear about the problems. I think hacking is one of the scariest and overlooked problems out there. Very few people (myself included) ever feel it will actually happen to them.

    I don’t mean to pry, but as this happens more and more I’ve been re-evaluating how I secure my passwords and how I choose them.

    Was your gmail password one of those letters/numbers/lowercase/CAPS jobs? I only ask because what I’ve read suggests that those take a far longer time to crack so that it’s almost not worth it for a hacker to try when there are other easier ones out there. I’ve been debating doing this for a while but have yet to get off my ass and go to all my accounts to change the passwords to strong individual passwords yet.

    I’m glad paypal was able to stop the transfer and hopefully that’s a sign that you’ll rebound from this fairly quickly:-)

    [Reply]

    Nicole Reply:

    the account was actually our business email and truth be told I think it was a brute force attack. We are taking some big steps now to secure ourselves better.

    I think because we do everything online, the fact we were able to act as quickly as we did helped a ton. We just checked again with Paypal and the $3000 that was taken is already back in our account.

    [Reply]

  2. Pete Walker says:

    Have you figured out how this happened? Perhaps it was brute forced? Was it a single e-mail account that you shared, or two accounts that both got hacked at the same time?

    I’m thinking if it was two accounts, it sounds like you got a keylogger, and I’d recommend using software from Sunbelt Software (Vipre) or Trend Micro’s Internet Security Pro. Both have free trials, and you may want to install them both (seperately, don’t have them both running). This might be a good precaution regardless of whether or not this was a keylogger. Not sure what you are using now, but free = not for me.

    Lastly, you ALWAYS must create a complex password. Anything that contains a dictionary word is very easy to brute force. I recommend 16+ character passwords, mixing letters and numbers. For example – M$rc1saw0wn00b! There are sites that can generate these complex passwords for you, which you can copy/paste into the password field.

    I got my WoW account brute forced years ago because I was lax on my account security, but I vowed to never make the same mistake again. GMail itself is fine, and I’ve never had a problem with it, it’s your password policy, or your anti-virus/spyware protection that’s at fault. I hope you take the above advice to heart, and also vow never to let this happen to you again. Good luck, Nicole + Marc.

    [Reply]

  3. Jay Tennier says:

    Great post! I’ve read about this thing happening so many times, especially the lack of Google support that it’s extremely unfortunate. I think a lot of us have an “it can’t happen to me” about this stuff.

    The only thing I’d add is to be wary of identity theft prevention services because they don’t necessarily do what everything you think they will. LifeLock in particular recently settled with FTC for deceptive advertising:

    http://money.cnn.com/2010/03/09/news/companies/life_lock_FTC_settlement/

    Now that’s not to say that they haven’t changed their service or claims accordingly but it’s just a heads up.

    Sometimes it’s worse to know that you’re unprotected than to think you’re protected when you’re really not.

    [Reply]

  4. Michael says:

    Nicole, I use a separate email address for all my secure information. The password for this email is very complex and long to prevent brute force attacks. This account through my ISP and I never give it out to any site or person except for financial sites that I do business with. My gmail account is for general communication and online forum registration. I also have a few other email accounts that I give out to other sites where I expect spam to be generated.

    No matter what your email setup is you want a spam blocker in place. Most site based email now offers this but is normally off by default, find it and turn it on. Also you will want to check the junk email folder from time to time in case of false positives. Sometimes your password reset emails get put here by mistake.

    [Reply]

  5. Nate says:

    It’s awesome that the paypal money got all restored:)! I’ve certainly learned some lessons from everything you’ve shared. Thanks, and hopefully it will never happen again.

    [Reply]

  6. Jon says:

    Here are 2 important programs that people should think about running on their systems to make sure that all security holes are properly closed off and that there is no personal data on your computer that you don’t know about.

    http://www.identityfinder.com/

    http://secunia.com/vulnerability_scanning/personal/

    I use both of these for my government job and will help give you are good picture of what is actually on your computer.

    [Reply]

  7. Ouch, been there and have done that. I now make my passwords ridiculously complicated and I maintain a log of every site I sign up for – because it will happen again. Remember that not all hacks are randomly generated passwords, in many cases another system is hacked which has all of your data in it.
    Another trick is putting in the wrong birth date (consistently) in sites that you don’t care about (not your bank).
    Did you/they determine where the hack was initiated from? Probably using proxies but still can track some things…
    Thanks for the post, it is good that people know this actually happens!

    [Reply]

  8. Brandon P says:

    Why not just get LifeLock and be done with it?

    [Reply]

  9. Bob says:

    I have been using LastPass (LastPass.com) for awile now as a password manager on my PC. It got good reviews from reliable sources and has been working good for me. It will allow you to have different passwords for different accounts and manage them for you. Just make sure that the master password for LastPass is secure.

    [Reply]

  10. Nicole says:

    Because LifeLock is not a cure-all and at best it’s an early warning system. LifeLock would not have prevented gmail or paypal getting hacked. Where LifeLock matters is the crap that goes down after everything hits the fan. Personally I still see my security as my responsibility, LifeLock is there to support me.

    [Reply]

  11. Hacked Gmailer says:

    Wow reading your post here was like looking in a mirror, it is so frustrating dealing with the automated gmail recovery page I could scream. Someone somehow got into another gmail account, I never fall for phishing scams and never gave my password out and there are only two places I logged in from and both PCs are clean and behind some tight security – yet they somehow got in 3 times. I recovered it the first two and changed passwords, yet the third time I couldn’t.

    Since I don’t use it for much other than signing up for things, so I never sent out much e-mail nor had many folders setup and to add to that I have had the account for many years and I’ll be darned if I could remember when I created it. SO basically I was done they wouldn’t give me the account back, and now I see the thief has even changed the security question, but in my case I was not even given the opportunity to answer my own, straight away it said something about unable to use the password recovery and took me right to the recovery form.

    Oh well I will keep trying and if all else fails gonna sign up that account for all the SPAM the interwebs can deliver 😛 Just thought I would share my gmail horror story, fortunately it was not as important an account as yours, glad you got it back.

    [Reply]

  12. planetWayne says:

    You could always bring your email in house and run a mail server, simple to do and free in most cases.

    [Reply]

  13. Candy says:

    http://mail.google.com/support/bin/static.py?page=checklist.cs&tab=29495

    Check out the 2-step verification for Gmail. I’ve used it on my paypal account for quite a while now and my hacker wasn’t able to get into my paypal because of it. I just went through (and in some ways still are) through this, only they didn’t take over the gmail account, just used it to gain access to my Amazon account. We caught it in time, but a few weeks later and now they had the cojones to call Amazon and get them to change the password on their behalf. LOL. Apparently all you need to do that is some information that could have easily been gotten by them by having been in my Amazon account.

    Maybe this time, we really DO have them. So annoying.

    Thanks for the post, I know it’s older, but wanted to let you know about the 2-step verification if you don’t already!

    [Reply]

  14. BEN says:

    The first and best thing anyone that uses gmail for important transactions should do is enable multifactor authentication. Gmail txts a passkey to my cellphone every time I access it from a new computer.

    [Reply]

  15. Nilty says:

    Gmail does offer a 2 factor authentication app much like the Blizzard one you refrenced. You can get special one time passwords for apps or devices such as an android Phone. From the main page for 2 factor you can revoke one time passwords if that device becomes comprimised.

    My wife had an email hacked.. Turns out they left behind a rule to forward all amazon related emails to somewhere else and move it to trash

    [Reply]

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *
Email *
Website