Major Security Flaw in Google Accounts

I have just been put through the unfortunate experience of having my Gmail account hacked. I don’t know for sure how they got my original password, but I will discuss that bit and offer some of my lessons learned through this experience at the end of this article. First I want to warn everyone about the huge disappointment I felt at trying to resolve this issue when dealing with Google.

What is your Google Account Worth to You?

First of all, take a second to understand the impact of someone hacking into your Google account. For me, it was huge. I have 4 years of my personal life and business life in that email account – and now some arsehole has access to it all.  They know everything about me. Worse than that, numerous websites which I have created accounts at have emailed me my username and password over the years – so they have access to several of my passwords (something I didn’t think about straight away which came back to bite me on the arse, and which I am still trying to deal with). And more than that, my Gmail account is linked to all of my other Google applications. My YouTube account. My adsense account, my Adwords account, my Analytics account, my google search history, google finance account…etc. Every google account that I have, was linked to that one email address, and they are all now under the control of a criminal with bad intentions towards me.

That is serious.

The Google Account Tug Of War

So what can you do? You click on the “I forgot my password” button – but the hacker has already changed the secondary email address and SMS phone number – now they just know that you are aware of them. So you use the obvious option and select “My Account Has Been Compromised” on this page and end up at this page: “Contact Us – Accounts Help

Hooray. A solution! A way to get your account back! You fill in the form, answering a series of questions that only the account holder could know the answer to and you get your account back…right…? Wait a minute – what about someone who has simply had access to the account long enough to collect that appropriate information from the account?

Yeah, thats right – you use this form, get your account back under your control once “someone  at Google” (almost certainly software) inspects your answers against the information in your account, and then sends a password reset link to whatever email address you chose while filling out the form – completely bypassing all of the security measures in your account. You get back into your account with your new password and while trying to deal with what damage the hacker has already done, they fill in the form again and before you know it, they have your account back under their control again.

I did this three times before I realised what was happening. I mean, the first time it happened, I was trying to figure out how this “Hacker” knew my new password so quickly. Did they have a keylogger on my computer? Were they watching my network? Ha. If only the person who hacked my account had such skill… No, it was just a retarded account recovery system that Google has in place, and NO accountability of the uselessness of it all.

The Lack of Support

Here is the real problem with this situation – remember above, just how IMPORTANT this account is to me? Well when I found my account had been compromised, all I wanted to do was pick up the phone and call someone and say “HACKER IN MY ACCOUNT, STOP THEM!!!!”. I mean seriously private information, financial information, financially contracted accounts and everything available to this criminal…I think some immediate support should be accessible. But no. You can find a phone number for your local Google office, but you get a message system designed to deal with questions relating to the Google brand, or employment options. There is an option for assistance with Google Mail etc, but when you select that, you get told that “Sorry, there is no live support available at this time, please see our online Help Centre”. A help centre, which is just a series of articles about how to keep your account secure – Not a bit of help once you are stuck in a tug of war with someone who has already compromised your account.

The only option available is the User Forums. Yeah, your whole life on the line, and you can go somewhere and kindly ask a stranger to help you – someone who is not employed by Google, has no access privileges, and essentially no power to actually do anything. But they can talk you through it…

I am not the only person to have suffered through this, as this thread on the help forums shows:

While these threads again highlights Googles complete lack of help or concern on this issues of lax security with their accounts system:

And there are a heap more posts out there by people incredibly dissatisfied with the lack of support (complete lack!) offered by Google when things go bad.

Two Suggestions for Google

So first of all, my suggestions to Google (wouldn’t it be nice if someone listened…)

  1. At least ALLOW a heightened security option in Google accounts.
    • Heightened Security state should require that in order for any change in information of your google account, you have to enter a received SMS code, or received secondary email code. So if someone has your password, they still need access to your mobile phone or secondary email address in order to gain COMPLETE control of your account.
    • Not everyone needs heightened security, but some people (like myself) have a LOT on the line when it comes to their google accounts, and will happily tolerate a little more security in order to keep their information safe. So make it an option in account settings.
  2. Have a real person step in if an account has had 2 account recovery forms submitted for it over the course of a few days.
    • Clearly, if a single account keeps having this form submitted for it, then there is a problem. It seems obvious to me that the form is currently handled completely by software, but a human looking at IP address of the people submitting the form (compared to historical ip address of the account user), combined with a combination of other evidence (and preferably combined with a text box on the form for “More information”), then a human could sort this out very easily in most cases (or at least LOCK the account – which is a great outcome for the account owner – much better than letting a criminal have control!)
    • Again, make the number of submissions a personal option in your google account settings. This account recovery form is too powerful as it currently stands, and needs to be controlled. Yet ironically, it is also too lacking, because it is easy to change the information in the account and block out the real owner, or, sometimes the owner really has no idea how long ago they opened their various accounts etc (while a hacker would actively seek out this information upon gaining access so they know they can get back in)

I think if just step one was implemented, then everything would be fine actually. Having a help desk would be brilliant, but it would be unnecessary if there was two layers of protection. You need the password to get in. You need the mobile phone in order to change the secondary email address. You need the secondary email address in order to change the mobile phone.  You need one or the other to change the password.

Oh, and just to be clear, I mean you REQUIRE access to the secondary email account and/or phone in order to make changes – I am sick of watching all of my accounts email me and telling me “Your password has just been changed – you don’t have to do anything, we’re just letting you know”. Thanks. OK, its better than not telling me, but I think simply requiring a verification click would make that email so much more worthwhile – don’t you?

Lessons Learned

  1. Use multiple passwords, divided Sensibly
    As stated above, I don’t know how the ‘hacker’ got my password to begin with, but I used this one password too widely on too many websites which I should not have. So now I have numerous different passwords, and I have absolutely unique passwords to my vital accounts. Now, if someone steals my password from a second rate insecure website, then they cannot use that same password to gain access to my vital email and financial accounts.
    I have always had multiple passwords, but they were not divided sensibly. Keep your vital accounts with unique, strong passwords!
  2. Don’t let your email inbox be a password repository
    I have HUNDREDS of accounts online. Online forums, email accounts, social media, video sites, photo sites, blog sites, my own websites, my admin accesses, my ftp accounts etc. It became easy to let my email inbox be my storage method for the passwords to all of these accounts. The problem with this, is that most people do not have a unique password for every single account. So if you sing up at some random online forum with one of your standard passwords, and that forum then ‘kindly’ emails you your username and password (yes, plenty of them do it), if you do not delete that email then a hacker now has one of your standard passwords.
    So the advice here is to search your inbox for all of your own standard passwords – and DELETE them all.
VN:F [1.9.22_1171]
Rating: 9.7/10 (7 votes cast)
Share