Run a security check on your Gmail account - if not already done

[IainB]

Following the recent hacking and publishing of Gawker Media customers' (commenters') email IDs and passwords (yes, passwords - how dumb can that be?), I had been checking my Gmail account security - and I had a surprise when I did it (for details, read on).

SUGGEST YOU DO THIS WEEKLY: (if you do not already do it.)
Start up Gmail in your browser.
Near the bottom of the main Gmail page, it says something like:
Last account activity: 57 minutes ago on this computer.  Details

When you click on "Details", you get taken to a page "Activity on this account". A table gives details of the 10 latest accesses, the 1st being your current session..
If you have any open sessions (e.g., if you left sessions open from another PC connected to the account, or if someone has open sessions from unauthorised access to your account), there will be a button that says to close them. Click on that button. The button will go away and you will get something like:
"This account does not seem to be open in any other location."

Now only you are looking at the account.

EDIT 2010-12-29 1112hrs: You have momentarily shut out any other users accessing your account. The objective is to move quickly and prevent any other account users doing anything before signing in again, by which time they will not be able to sign in, because by then you should have changed the account password and security question.

Scan the table for any Browser or POP3 accesses from IP addresses that were not yours from some other location or device.
Take a screen shot of it before doing anything further, because anything you do may scroll the oldest accesses off the table.

You can check the IP addresses here: http://projecthoneypot.org/search_ip.php
It will tell you which country it is in, and whether anything suspect has been reported for that IP address recently (i.e., it is still a "bad" IP address"). If they have the IP address, but no recent reports, then it means that they have had reports in the past, but it's probably OK now.

In any event, if there are any IP addresses that were not yours (either for browser or POP3 access), then:

    * change your password immediately (make it a "strong" one);
    * change the security question;
    * SAVE all changes;
    * whilst you are at it, get a second email address in the event you need to restore access to your account, having been locked out from it.
    * whilst you are at it, set up the SMS alert.

I did all this, because, to my great surprise I had POP3 (reading current inbox messages) accesses from some US-based IP addresses. I have no idea what they were up to, but they can't do any more POP3 accesses now.

EDIT 2010-12-29 1112hrs: Because my IP address is in New Zealand, a U.S. access was categorically something unwanted or potentially malign.

Hope this is useful/helpful to someone.

[mouser]

smart 

[wraith808]

At the bottom of the page there's also: Alert preference: Show an alert for unusual activity.

Turn this on, and it will show an alert if there is unusual activity.  I've found all on my account to be benign, i.e. my phone accesses my account from an I.P. that's located a couple of hours away from me for some reason, so a U.S. access isn't necessarily something malign.

[Deozaan]

And if you do see unusual activity, don't forget to click the button that says something like "Sign out all other sessions" so they can't do anything before signing in again and by then you should have changed your password.

[IainB]

@wraith808: Yes, thanks:

"...so a U.S. access isn't necessarily something malign."

I have a New Zealand IP address, which was why the US IP addresses that did a POP3 were a worry. I shall update my post to reflect this.

@Deozaan: Yes, thanks:

"...so they can't do anything before signing in again and by then you should have changed your password."

That was one of the points I was trying to make, but didn't do very well. I shall update my post to make this quite clear.

[IainB]

@wraith808:

At the bottom of the page there's also: Alert preference: Show an alert for unusual activity.
Turn this on, and it will show an alert if there is unusual activity.

This seems to be forced on by default in my Gmail, and I cannot change it. I did come across an information link to a Google note that explains that if you try to disable it, it will not be activated for a delay period, for security reasons. I don't recall whether you get an auto email to ask for confirmation that you wanted it disabled. (Which would make sense.)

[4wd]

This seems to be forced on by default in my Gmail, and I cannot change it. I did come across an information link to a Google note that explains that if you try to disable it, it will not be activated for a delay period, for security reasons. I don't recall whether you get an auto email to ask for confirmation that you wanted it disabled. (Which would make sense.)

-IainB (December 28, 2010, 04:38 PM)

You don't - I've had a couple of mine turned off for a while and I never received a confirmation prior to it taking effect.  I think they expect you to notice the next time you log in via browser - something I do very rarely.

eeerrr    Of course maybe it's different if you have a alternative email or SMS set up - neither of which I use.

[Deozaan]

@Deozaan: Yes, thanks:

"...so they can't do anything before signing in again and by then you should have changed your password."

That was one of the points I was trying to make, but didn't do very well. I shall update my post to make this quite clear.

-IainB (December 28, 2010, 04:12 PM)

Or maybe I just was lazy and didn't fully read your original post. I think it was me who erred, this time. I just skimmed your post since I already knew about this stuff and somehow missed you describing to do what I said to do. Sorry.

[Curt]

I don't understand why Google doesn't offer to auto mail any private email I may have, if my gmail account is visited by unknown ip addresses. It *sounds* to me as it would be easy to do.

[kyrathaba]

Just checked mine.  All benign.

[IainB]

A reminder to run that security check.
I revived this thread because something similar just cropped up. Some years back, I had set up a Gmail account that is shared with several other users. It was a bit of an experiment and is used like a Google Group for us all to communicate on issues of common interest, but avoids all the fussing-about with administering a Google Group. Security is not a real issue, and the password was unchanged from the original - a string of several numeric digits, based on part of the phone number of one of the members.

This is the sequence of events:

• 1. Email warning received today from Google accounts admin.:
  

  Hi XXXX,
  Someone recently used your password to try to sign in to your Google Account [email protected]. This person was using an application such as an email, client or mobile device.
  We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
  

  • Monday, 7 October 2013 14:11:58 o'clock UTC
  • IP Address: xxx.xx.xxx.xx (xxx-xx-xxx-xx.aaaaaa.xxxxxx.co.nz.)
  • Location: Auckland, New Zealand

  If you do not recognise this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.
  ____________________________
  

  
  
• 2. I signed in to the Gmail account. A similar warning popped up recommending a password reset because:
  

  03:11 Application/device sign-in attempt (prevented).

  
  
• 3. I checked "recent activity" on the Gmail account (per the procedure described in the opening post). The hack attempt apparently had been noted as it came from an unusual device (one we had not used before) and it failed one of the (very useful!) secondary verification challenges that has been introduced to Gmail since we set up the account.
  
  
• 4. I generated a new and much higher-strength password, using LastPass, and set that PW.
  
  
• 5. I logged out of all sessions.
  
  
• 6. I Logged out of the Gmail account and then logged in again to check it had all worked OK.
  
  
• 7. I checked WHOIS and made a note of the email address (from WHOIS screenclip) at the ISP to notify of the hack attempt from an IP address in their domain.
  
  

[wraith808]

You can also turn on 2-stage authentication.  It works really well.

[IainB]

You can also turn on 2-stage authentication.  It works really well.

-wraith808 (October 08, 2013, 09:30 AM)

+1 - absolutely - kudos to Google - that's why I wrote:

The hack attempt apparently had been noted as it came from an unusual device (one we had not used before) and it failed one of the (very useful!) secondary verification challenges that has been introduced to Gmail since we set up the account.