Gmail account hacked, apologies to all

I woke up this morning to find that a spambot hacked my gmail account and sent one spam message to all my contacts.  This is no small problem: I’ve had my gmail account running as my primary e-mail service for 2+ years [@jbryant], and I feed eight other day-to-day-use addresses into the same account.  Further compounding my dread, that same username/password connects all my Google services, because of the automatic expansion of gmail into a wider account over the past year or so.  As my first twitter post of the day expressed, “Fucking hell”.

First thing I did was change my password, security question, and scout for odd activity in all of my active google services:  nothing suspicious execpt that one e-mail.  Kind people alerted me within 30 minutes of the original spam, which is a blessing.  Second, I exported my contacts (nearly 600, since gmail automatically saves all incoming addresses as contacts) into one of my alternate gmail accounts for storage, and deleted all contacts tied to the hacked account. Third:  I exported what I could of my mail to my backup account and deleted it as well, just in case the bot tried to scrape addresses from old mail.  Fourth:  I trimmed the living shit out of my contacts list.

Fifth:  In order to figure out what went wrong, I triangulated the list of those spammed against my current address book and differences indicating its freshness.  My first though is that a different account had been hacked—like LinkedIn or Twitter—both of which offer a “look for contacts in your webmail” service.  I am terrified of the implications of similar services on less ethical sites like Facebook, but I did previously trust both LinkedIn and Twitter with select segments of my contacts.  Either way, my spam recipients was a current list.

Sixth:  I began apologizing profusely to nearly everybody I know.

I’m speculating a bit, but due to my hacked message being marked as as spam by my grumbly friends (rightly so), Google automatically locked down my account (also rightly so).  Currently I cannot send mail from any of my aggregated addresses tied to my account.  I can read all the incoming mail alerting me to the problem, but can’t respond.

Some interesting outcomes of the attack

The message itself:

  • The crappy electronics discount company who’s URL was the heart of the spam message responded to my righteous-wrath-of-journalism msnbc address clout to deny any patronage of spammers, which I’d expected and disbelieve entirely given the business model evident on their site.
  • The spam message itself actually went out twice, in a A-K segment and a J-Z segment.  In the former, it caught its own e-mail address which had been automatically added to my contacts. I got a “no mailbox found” response for the e-mail.
  • I did report the e-mail & URL to the FBI, Google and various laughable goverment anti-spam efforts. I’m sure the swift arm of the law is right behind me, bringing the wrath of ingnorable paperwork and a stern look that professional spammers ignore as effortlessly as morality.

My contacts: 

  • In triangulating my contacts and bounced/rejected spam messages, a good many of my professional contacts have expired addresses, reflecting a lot of job changing lately.
  • I have an absurd number of recruiters in my contacts list after changing jobs in 2007, and those were the majority of the failed deliveries. 
  • Out of 30-some recruiters, not one had written to say they’d left their previous employment.  Where’s the long-term relationship building like other professions? 
  • I was resubscribed or unsubscribed to a number of newsletters I’d forgotten about, and their messages were kind of cute in their automated confusion of which e-mail I meant to use.

The geek community I mostly spammed: 

  • Twitter was a much faster alert and apology mechanism than I would have anticipated.
  • Quite a few people seem really insulted I unintentionally spammed them, and offered downright rude speculation about me not understanding he basics of mail.  Given my career, professionalism and lack of any record of prior e-mail gaffes, I find that out of line.  (Thankfully my account can’t send mail and my bitchy responses will never be sent.)
  • Most people just want to know what happened and what I did about it (hence this post).

Gmail itself: 

  • Despite a day of looking around, I can’t find a setting that disables saving your contacts to your address book.
  • There is no easy-to-find “export all mail” button in gmail.
  • The new contact-management panel sucks compared to the old one, but you can still load the old one.
  • There is very little reassuring documentation or steps to rectify a frozen account.  An e-mail form that lets you indicate the number of hours you’ve been waiting between last reporting your frozen account.  You can fill that out to your heart’s content, but there is no message confirming your issue has entered any kind of queue.
  • There is nothing in the help documentation about a hacked account for which you have control.  It seems the majority or reported cases are hijacked accounts, not one-time-hacked accounts.
  • Google’s help system is not at all reassuring about the security of your other google services when an account is hacked.  In fact, there is not one word about how to report or escalate hacked activity in other services.  I find that an egregious oversight that now puts me much more toward the school of thought that google’s combined account is a terrifying thing to be feared.
  • The help forums are shallow.  So are general google searches about hacked accounts.
  • Google is in fact of little help when it comes to looking up information about a hacked Google account.

Conclusions

I don’t know if I’ll have to change my central e-mail address.  I hope not.  Best I can tell, the spambot got unexpectedly lucky getting into my google account and was not written to do much damage at all.  It did not try my other google services, and seems to have been a one-instance attack; no other spam hit my poor friends after the first message.  Rue the day when someone writes a more intelligent google account spambot, though. 

Looking grimly forward

I’m taking the evidence that the attack is over with a big grain of salt and setting myself up to deal with a few more tiers of apologies.  I’ve doubled my cross-platform alerts watching my name, accounts, passwords (encrypted) and other cues I think might turn up on spam lists or dictionary-tactic attack lists.  I changed most of my major account passwords for my most-visited websites.  I’ve got 20-30 tabs about isolating information crossing between google services, and a bunch of other reading lined up.

Any other suggestions about what I should be watching?  DM me on twitter.com/tiffehr. 

P.S. — Also, it’s worth noting my hacked password was about as secure as it can be, to the limits of what Google supports. Odds of a dictionary crack working are extremely slim, short of using an ancient, foreign-language-friendly OED *plus* some math.

posted 1 year ago on January 12th, 2008 at 19:19 /