account hack

[swan_tower]

One of my gmail accounts got hacked. So, first of all, my apologies to anybody who got hit with spam because of me.

Second -- since this is the first time this has happened to me -- tips for what I should do? I've already changed my password, and as I type this, I have a program scrubbing my computer for malware. I don't know if there are things I should do beyond that, though.

Other than find the person responsible and stab them in the face.

Comments

[starlady38.livejournal.com]

I've enabled the two-step verification process for my Gmail account, which involves using your cell phone as a passkey generator. It cuts down on potential hacking by a lot because, as you know Bob, people then need both your phone and your password to get into the account.

[swan-tower.livejournal.com]

Ah, I'd forgotten about that. How much of a hassle is it to deal with? And what are your options if your phone is dead/lost/etc?

[starlady38.livejournal.com]

I haven't found it to be too much of a hassle--you can bind the login to your home browser, or any browser you choose, for 30 days at a time. You also get 10 burner codes to use when you set it up for if your phone is lost or dead or whatever, I wound up using them while I was in Japan. And in any case, I find that the slight delay is worth the extra peace of mind.

[swan-tower.livejournal.com]

I didn't activate that immediately because it sounded like a pain, and I'd never had a problem with my accounts being hacked.

. . . well, that second part has changed, now. >_<

[aulus-poliutos.livejournal.com]

But there are still some peoppe like me, who don't have a cell phone and don't plan to get one. So I could not contact you via email?

[starlady38.livejournal.com]

I don't understand your question. Two-step verification has to do with logging in to one's email account, not receiving email from other people.

[rosefox]

Change any answers to your lost-your-password identification questions (e.g. mother's maiden name) as the hackers may have changed them so they can get back in even after you change your password.

[cepetit.myopenid.com (from livejournal.com)]

I'm going to recommend something completely radical:

Don't use a web browser to connect to Gmail, except when you're changing settings.

Ever.

Use an actual e-mail program, like Thunderbird (http://www.mozilla.org/en-US/thunderbird/), that connects intermittantly, pulls your data to the computer/device you're using (and can be set up, easily, to leave messages available to other devices), and then logs off.

Not to mention that Thunderbird's method of organizing your e-mails is fastly superior to, and more flexible than, Gmail's... and provides an additional layer of protection against both spam and viruses/phishing.

The biggest problem with the web interface to Gmail is that people tend to leave it active, instead of logging out when not actually interfacing with the mail -- which leaves lots and lots of opportunities for attacks that will act like hacking the account, even if many picky communications security people would say that it's the connection, and not the account, that got "hacked."

One of my occupational hazards is that the IWTBF crowd constantly attacks my e-mail and website looking for a way in to discredit me. It's a bit less frequent now -- down to twice a month from daily -- but I can still see it in the server logs. They've never succeeded against the publicly well-known Gmail account I use, even though the only additional "security device" I've used, aside from periodic password changes, has been using an e-mail client instead of the web interface.

[tapinger.livejournal.com]

If you opened any other accounts using that e-mail address, it's probably a good idea to change those passwords too and make sure they're still set to use one of your e-mail addresses. (Otherwise it's possible someone could have clicked "I forgot my password" and taken them over, unless there are other layers of security involved like lost-password-verification questions.)

[silvergryphyn.livejournal.com]

One way to limit damage (i.e. used the same email and/or password other places as well) from this kind of thing is to use a formula for your passwords. This also assumes that you want to be able to remember them yourself rather than letting a password manager make up insane non-remember-able passwords.

1) Pick a base that has numbers are letters that means something to you. I'll use smg196 for this example

2) Pick a special character (be aware that sometimes you'll have to leave this out because website operators are stupid). I like !, so now we have smg196!.

3) Then use the first 3 letters (or the last 3 letters) of the website that the password is for and capitalize the first letter (or put the capital in the base as long as there's one somewhere).

Amazon: smg196!Ama or smg196!Zon
Yahoo: smg196!Yah or smg196!Hoo
Google: smg196!Goo or smg196!Gle

And so on. Occasionally you'll get a duplicate because the first 3 letters are the same but I've only had that happen twice so far. Complicated but easy to recreate on the fly.

Good luck!