Now-a-days Google Account is important as any other account, mostly to secure our personal data and social relation esp. when use wide verity of applications like Gmail, Docs, Blogger, Photos and Orkut. By the way it is single sign-on application. And you integrate with other third party applications like Facebook, twitter, LinkedIn with Gmail ID as user ID or communication ID.
My friend is unable to access his Gmail and Google Apps accounts today, even though he requests for "forgot password", he didn’t receive any communication to his secondary Email. Interesting part of this is, after seeing some porn’s on his profile he found that "Account is hacked". Hacker managed to log into Gmail and changed the secondary email for that account. As the same mail id is used for other applications like Facebook and twitter for communication, he requested for “forgot password" in that application and took control over them too and started posting hell through them. To get assistance from Google ,My friend couldn’t establish enough identification to Google them. He very much uses social networking sites to communicate with some of his friends and clients.
My friend is in situation where he is unable to block the hacked account or get access back on that account. Worst thing is damage to his relation with people on professional and personal network. Your identity on the social web (Twitter, Facebook, Blogger, etc.) and, most important, your online business is not in your hands anymore. This is pathetic situation where you don’t have any control except watching the show.
After lot of googling and binging i remembered a quote in telugu "Chethullu kaalinaaka aakulu pattukodam vrudaa" means:Its waste of catching green leaves after hand are burned.
Here are lessons learned and tips that might prevent your Gmail and other Google Accounts from getting hacked.
Many of us frequently receive "password assistance" email with link to reset password. Don’t ever initiate such links.
How the Google Accounts were hacked ?
Nothing much you can guess if the culprit is professional chap who enjoys exploring the web for vulnerabilities, but below could be some reasons.
Use a fairly strong password so it can be tough for someone to guess that string. And since you got a password reset email request in the first place, the possibility that the password was cracked can be safely ruled out.
Don’t use Gmail from any public terminal (therefore safe from password stealing key loggers) and have never clicked on links that may point to a fake Google login page (so no phishing attack either). You cannot associate a "security question" with non-Gmail Google accounts so the possibility that the "security question was weak" is also ruled out.
How to Protect your Gmail & Google Accounts
#1. Log-in to your Gmail / Google Account and associate a phone number. This is useful because you’ll then receive an SMS text message whenever someone tries to recover your Google password.
#2. Create a new email address (on say Yahoo! Mail or Gmail itself) and set this as the secondary email address for your existing Gmail and Google Accounts. Check for emails on this new account manually or through a desktop client via POP3 / IMAP but do not enable auto-forward for the new email address as the original purpose will be defeated.
#3. Take a paper and write down the following information about your Google Account. You will need this to verify your identify to Google in case someone else takes over your Google Account and the secondary email address associated with your account.
- The month and year when your created your Gmail / Google Account. You can look at the last page of your Gmail Inbox (or go to Sent Items) to get an approximate idea of the date when you created the account.
- If you created a Gmail account by invitation, write the email address of the person who first sent you that invite for Gmail. Use a search query like "in:all has invited you to open a free Gmail account" to find that invitation email.
- The email addresses of your most frequently emailed contacts (the top 5).
- The names of any custom labels that you may have created in your Gmail account.
- The day/month/year when you started using various other Google services (like AdSense, Orkut, Blogger, etc.) that are associated with the Google account that you are trying to recover. If you’re not certain about some of the dates, provide your closest estimate*.
[*] For Analytics, look at the first date when it started collecting stats for your website(s). For Orkut, look at the last page of your scrapbook. For AdSense, you may take the help of your AdSense account manager.
#4. It goes without saying but do not use the same password for your main Google / Gmail account and your secondary email address.
#5. If you access Gmail and other Google services over a Wi-Fi network, make sure that you always use the secure URLs like https://gmail.com. Go to Gmail settings and set ‘Browser Connection’ to ‘Always use https.’ This might make your Gmail access a bit slower but your account will be more secure.
#6. Once in a while, do refer to that little line in the footer section of your Gmail Inbox that shows the different IP addresses from where your account is being accessed. If you find an unknown IP address, change your Google password immediately. The person who hacked my Gmail accounts configured them with his Hotmail account so he could effectively read all my email communication remotely from his Hotmail inbox without ever logging into my Google account again. I could figure that out only after I saw an IP address from a Microsoft server in my Gmail activity log.
#7. You should also consider copying emails from Gmail to another service (like Yahoo! Mail or Hotmail – it is effortless) so when your Gmail account is compromised, you at least have access to all your previous emails. Or you can configure a desktop email client like Outlook or Thunderbird with your Gmail account (via POP3 or IMAP) and thus you’ll have an automatic offline backup of your Gmail Inbox.
#8. Do a test run. Log-out of all your Gmail / Google Accounts and initiate the password recovery process for each one of them using this form. This will help you make sure that your SMS settings and secondary email addresses are configured correctly.
For Google Apps users
#9. You should always have a public email address on your website that others can use to contact you directly. This public email address will also help people find and connect with your on social networks like Facebook, LinkedIn, etc. However, you should make sure that you don’t provide administrative privileges to this email address in Google Apps because if someone hijacks this account, he will effectively take over your Google Apps domain. Create a new user in Google Apps as an administrator and never share this username with anyone else.
#10. If you have lost access to your Google Apps dashboard, you’ll have to create a new CNAME record pointing to google.com to verify that you are actual owner of that web domain. To reset the password for the administrator of your Google Apps domain via your domain hosting company, the URL is:
https://google.com/a/cpanel/xyx.com/VerifyAdminAccountPasswordReset
[*] Replace xyz.com with your own domain address.
