At first, I thought it was funny. Here’s a friend sending me a goofy e-mail about being stuck in Nigeria and needing cash. Ha ha. Nice joke. So, I replied with a similar message about being in a South African prison and needing money to bribe the guards.
Well, it turns out that it wasn’t a joke. No, she’s not trapped in Nigeria, but instead the e-mail that came from her Gmail account was from a hacker. Apparently, many Gmail accounts have been hacked into. D’oh!
I’m relatively computer savvy, and I always pay suspicious attention to e-mails that seem to come from friends and relatives on other e-mail accounts. Yet, somehow, I was blindsided by this. Somehow, I thought Google was above being hacked or something? Sheesh.
Of course, this goes way beyond a simple prank e-mail. Thanks to Google’s insistence that you never need to delete anything and the convenience of having all your stuff accessible online, most people have years worth of e-mails in their archive folder. Emails with bank account numbers, usernames, passwords, other e-mail addresses, friends and family names and numbers and addresses… My friend immediately went to her eBay and Paypal accounts and, sure enough, there was unauthorized activity using her Gmail address.
So, here’s what you need to do (immediately):
- Change your Gmail password to something stronger than your cat’s name.
- Install PwdHash to encrypt your password everywhere online!
- Always use Firefox and install the CustomizeGoogle add-on. This add-on has a cool option to make sure you’re always accessing Gmail using a secure (https) connection.
- Remember (or change) your secondary email address or your security question in Google, so that you have a way back into your account when the hackers change the password.
- Backup your Gmail account data.
- Never archive emails that contain passwords or other sensitive data. Clean up the trash bin of those too!
There are some other good suggestions (and horror stories) in this thread.
Yikes, scary. I got that same email you did, and I was going to email said friend asking what was up but it slipped my mind. Thanks for the heads up! I have a lot of info in my Gmail account, I’d be screwed if it got hacked.
I got that email too and thought it was some kind of blog meme I missed out on.
Scary.
This security problem is the main reason I still won’t use an online email service like Yahoo or Google. Although I know my email program may not be the most secure method, the simple fact that it is a single account which is not always on and available for hack attempts, that it is less tempting than a central database of thousands of email accounts for the ‘bad’ guys.
You might want to try using Thunderbird for email and always reading email in plain text. It’s not foolproof, but it’s a little more secure than accepting HTML email.
This sure seems like an awful lot of work to use the intenets…
Hey Solly!!!
Honestly, people… any email program can be hacked at any time. Some are tougher than others to crack.
When you use Gmail and your pwd is the name of your spouse, which you use all the time on your blog, and then all your passwords are the same, then sure, this is going to happen.
My favorite was the git in the comments whose hacker was also able to get to their PayPal account.
I think of things like this as a stupid tax.
If folks aren’t sure how to generate strong passwords, online services like PassPack are more than happy to generate them for you.
in defense of said friend (ok, it was me), my pword wasn’t my spouse’s name or anyone’s name in particular, but a nonsense jumble of letters and numbers. which is exactly what we’re supposed to use.
the hackers accessed my Gmail account through a security hole – gmail users aren’t directed to a secure login. so the haxxorz used a cookie-sniffing script and lifted my username and pword as i logged in. they then logged in as me, changed the password, and wreaked havoc.
i’m sorry to anyone who got one of those crazy phishing mails with my name on it. i’ve been trying to email all friends separately to explain and apologize, but it is turning out to be a very long and dirty job.
That was meant to be a general statement to not use weak passwords, not directed at the victim of said hack (ok, it was you).
Good info to know, thanks for passing it on.