Gmail hacking

Forums › Off topic › Gmail hacking

Horseychick

150 posts

Master Geek
+1 received by user: 80

#207896 18-Jan-2017 15:46

Herald reporting Gmail hacking - http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=11784422

I don't usually trust their reporting so has anyone experienced this yet or think it sounds correct?

sidefx

3775 posts

Uber Geek
+1 received by user: 1295

Trusted

#1705304 18-Jan-2017 15:50

Erm... so apparently these so called "experienced technical users" don't have 2FA turned on? And happily enter their credentials into a popup that opens after clicking an email attachment. I'd suggest these "experienced technical users" are in fact neither experienced nor technical.

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1705318 18-Jan-2017 15:54

I'm a very experienced technical user who does quite a bit of security work. I don't have 2FA turned on for Google because I find it a PTA and continual prompting for credentials gets annoying. I have 2FA on for AWS, Amazon, and a few other things. So I don't think it's fair that no 2FA = idiot.

I should probably turn it on though, and I will if someone can tell me Google / Gmail doesn't constantly prompt for it.

richms

29098 posts

Uber Geek
+1 received by user: 10209

Trusted

Lifetime subscriber

#1705319 18-Jan-2017 15:55

I have it turned on and the only time I get re-prompted is if I clear cookies or use a new browser or phone. What is annoying is crap apps on the phone that use their own in-app browser to do the oauth connection to things - mainly facebook I get that issue with but have seen it on my google account once.

Richard rich.ms

Behodar

11095 posts

Uber Geek
+1 received by user: 6074

Trusted

Lifetime subscriber

#1705323 18-Jan-2017 15:57

timmmay: I find it a PTA and continual prompting for credentials gets annoying.

Bingo. I turned it on for my Apple account, then turned it back off again after getting prompted every single time I tried to get into my account from the same computer on the same static IP address.

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#1705324 18-Jan-2017 15:57

timmmay:

I'm a very experienced technical user who does quite a bit of security work. I don't have 2FA turned on for Google because I find it a PTA and continual prompting for credentials gets annoying. I have 2FA on for AWS, Amazon, and a few other things. So I don't think it's fair that no 2FA = idiot.

I should probably turn it on though, and I will if someone can tell me Google / Gmail doesn't constantly prompt for it.

Like you I don't have it on for gmail, as it is a PITA, although I do for things like lastpass. But perhaps it is time to use it, as the whole login system of logging in is outdated and has security issues, and belongs in the past. There needs to be a new system.

sidefx

3775 posts

Uber Geek
+1 received by user: 1295

Trusted

#1705325 18-Jan-2017 15:58

Mine prompts on a login from a new device, but pretty much every time I tick the "do not prompt for this device again" option and it doesn't do it again for that device\browser.

( But would you also put your gmail credentials into a popup that opened after clicking an email attachment? :) )

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#1705350 18-Jan-2017 16:33

Given I was sent an email the other night that 'Someone has my password'

And in my security logs stated a device from Sweden had used my credentials but been blocked. Needless to say 2FA was enabled. No phishing etc however, so god knows how they got it. Other than possibly of my apps being reported as logging in with it that have google acct login permission

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#1705352 18-Jan-2017 16:37

Oblivian:
Given I was sent an email the other night that 'Someone has my password'

And in my security logs stated a device from Sweden had used my credentials but been blocked. Needless to say 2FA was enabled. No phishing etc however, so god knows how they got it. Other than possibly of my apps being reported as logging in with it that have google acct login permission

It is these apps that want you to log into them via gmail which I suspect are the problem. 2FA is a pain though when you 2FA device decides to die, which happened to me recently.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1705353 18-Jan-2017 16:40

Well I turned Google 2FA on, and so far not too much trouble. Thunderbird/Outlook/Email clients need an app password (phone, tablet, work computer, etc), which you get from the Google security console. So far less annoying than expected.

sidefx

3775 posts

Uber Geek
+1 received by user: 1295

Trusted

#1705359 18-Jan-2017 16:48

Gmail is probably the most important service for me to protect - it's literally the master for most of what I do. If my gmail got pwned they would have the details of almost every other online service I use, and the ability to reset the passwords on many of them. I definitely want as much protection on it as I can get :)

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1705392 18-Jan-2017 18:27

Horseychick:

Herald reporting Gmail hacking - http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=11784422

I don't usually trust their reporting so has anyone experienced this yet or think it sounds correct?

It came from the Daily Mail. Nuff said.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

andrewNZ

2487 posts

Uber Geek
+1 received by user: 1461
Inactive user

#1705397 18-Jan-2017 18:42

Oblivian:
Given I was sent an email the other night that 'Someone has my password'

And in my security logs stated a device from Sweden had used my credentials but been blocked. Needless to say 2FA was enabled. No phishing etc however, so god knows how they got it. Other than possibly of my apps being reported as logging in with it that have google acct login permission

I got one of these for one of my accounts, (device based in the US). No 2FA but it was still blocked. The account affected isn't my primary account, so I wasn't too concerned.

PaulBags

809 posts

Ultimate Geek
+1 received by user: 184
Inactive user

#1705404 18-Jan-2017 18:54

That's not hacking, it's phishing.

SepticSceptic

2263 posts

Uber Geek
+1 received by user: 779

Trusted

#1706330 20-Jan-2017 11:20

Cool, lets click on links in email attachments, and then enter our gmail user and password details into the popup.

Something that neither an experienced or technical user would do. If they do, then they are neither. And stupid.

Muppets on Computers. Actually, that's probably insulting muppets. I like muppets.