I was awoken by the sound of an incoming text message on my phone at around 4:22 a.m. on December 15th. Nobody had any reason to send me a text message that early in the morning. It was a message from Yahoo!, telling me that one of my Gmail addresses had been removed from my Yahoo! account. Puzzled and figuring it was some error, I went back to sleep. Come morning, I flipped open my laptop to check my e-mail before heading into work. I entered my username and password only to be rejected. I tried a couple of my secondary accounts, but they didn’t work either. A search on Twitter shows no complaints about Gmail being down. This was not ordinary.
Figuring that this was some sort of fluke, I decided to hurry into work to see if any of my coworkers were having issues with Gmail as well, although I was already starting to fear for the worst. Unfortunately, my worst fears were confirmed when I made it into the office – my Gmail accounts had been stolen.
I lost all of my Gmail accounts: personal address, a secondary address that I used for signing up for online accounts and newsletters, and even firstname.lastname@example.org which I never used for anything.
Twitter was taken over, which was very amusing because I somehow managed to stay logged into the account while it had been taken. I saw the e-mail address it had been switched to, but I couldn’t change it because I didn’t have the new password. But at this point I was completely convinced that my online identity was under attack.
The race was on against the hacker/hijacker. I made a giant list of all the sites that I used on a regular or semi-regular basis and switched out my e-mail addresses and passwords. It was even more ironic considering how very pro-web I am, and I do as much online billing and banking as I possibly can. I’m usually one to just shrug off privacy concerns figuring all of my information is easily accessible anyway.
Google has an account recovery form that I used to recover my personal and secondary accounts. Their turnaround was very fast too, somewhere around 10-20 minutes. I regained access to my personal e-mail address early on and was very relieved, but my secondary account was the one I used to sign up for everything, and I was having trouble proving that it was my account.
In the end, none of my financial accounts were compromised. The final tally of stolen accounts: All my Gmail addresses, Twitter, GoDaddy, and Steam.
GoDaddy I was able to recover with a phone call, and luckily I had the expired credit card that I used to make the last payment over a year ago.
Twitter came back a day later after submitting a support form. Steam also took me about a day. The amusing aspect of my Steam account being stolen was that it looked like whoever stole it either played Counter-Strike for seven hours, or sold my account off to someone else. Whoever it was tried to “recover” the changed password after I regained control. Suckers.
In my secondary e-mail account, I found “password recovery” e-mails for Paypal and eBay, neither of which were compromised. Paypal apparently requires a phone call to the account holder to confirm any changes, and eBay somehow knew that my password had been compromised, and scrambled it for my own security. Props to them.
Lessons learned from all of this: I changed my password to something much more secure. My old password was something very dumb, and I’m hoping that’s enough for the time being. I have heard great things about 1password to manage passwords, but the fact that it is only on OS X sort of hinders my usage.
All of my accounts have been switched over to my personal e-mail address too. Not my preferred method, but after the trouble I went through to recover the secondary e-mail account, I figured it would be a lot easier in the future if this were to happen again.
I have a few of the IP addresses that the hijacker used thanks to Gmail’s “Activity on this account” feature, but they trace out to different locations in Sweden/Spain/Germany, and I figure they must be fake.
I received an @ reply on Twitter the next day from this account: https://twitter.com/clauderenaud. I have no idea what it’s implying or if it’s the hacker mocking me. Very strange.
For anyone curious, I had to update 57 accounts.