Blog Home  »  Web Application Security   »   Gmail hacked- how to check if your account is safe?

Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

Gmail hacked- how to check if your account is safe?

Posted DateSeptember 22, 2014
Author Bio
Posted Time 6   min Read

By Indusface Research Team

As per some reports, Gmail has been hacked and 5 million user names and passwords were stolen from compromised accounts. What does this mean for you? Changing the passwords again? Yup, but more importantly changing, the way you and your customers operate their accounts, the ways in which they hamper their security, consciously or unconsciously, and the ways they can stop doing that.

Google has denied the hack claim and has said that if in case such an event happens, it informs the affected users. “The security of our users’ information is a top priority for us,” a Google spokesperson commented. “We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts.”

Google also claimed that the impact of this hack was widely exaggerated and that less than 2% of the username and password combinations might have worked. Google stated in an official blog post, “We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts.”

How to check if your Gmail account was hacked?

Following this hack, a group of programmers came up with a website, Isleaked.com. You can type in your email ID here, and it will tell you if your email is one of the 5 million affected. If you are hacked, the website will show you the first two letters of your password. The developers had initially created this website originally to help people check with the Yandex and Mail.Ru attacks.

To assure people of their honest intentions, developers have offered an option to not put in their complete email ID, but to substitute up to 3 characters with an asterisk. We have tried this, and it works.

But if Google is denying the hack, then why these stories?

There have been more than a few hacking incidents in the past, with Google’s name dragged in. This time, Google has come out with a statement. They have insisted that since no internal systems were breached and illegally accessed, they have concluded that the accounts whose login data were stolen, was due to an individual obtaining usernames and passwords from a malware-infected computer.

This claim is supported by the fact that the information leaked seems to be pulled from much older lists. A large number of leaked passwords are as old as three years. Due to this, the leak is being attributed to a combination of breaches that have happened in the past.

But even though the leaked information is outdated, the majority of the security experts have strongly suggested that users should update their passwords in a regular manner, especially after news of a breach surface.

So whether your Gmail was leaked or not, it is highly recommended to change your password and you should now take advantage of the two-step authentication process provided by Gmail. This means that Google will send you a special code as an additional security measure when logging in. It might sound like a headache, especially when we want everything automated and simple, but it will protect you from the repeated hacks and breaches.

Why are so many accounts being hacked? What should be changed?

More and more social networking websites are coming up. People have tens and hundreds of accounts and every account needs to have a login, username, and password. Some of them even have security questions.

So what do we do? It’s not possible to remember all these details for anyone. Neither are people very familiar with the concept of password managers. Therefore users end up using the same user id and passwords for multiple accounts. The weaker the security control implementation from an account in question, laxer are the passwords set. Essentially, this means that, if an account permits a user to use email ID as a login ID and password, they use it, without spending a thought on their safety. The thought of, “why will anyone hack into my account”, is so profound that we really don’t want to bother with following some basic security measures.

Also, we do not want to check the history of recent activities in our accounts. Gmail, Facebook, etc. provide this facility. You can check from which browser, which city, your account was logged into last…you find suspicious activity, report, and change your password. It’s as simple as that.

So we bring to you some simple steps that one should follow while creating and using an account, to avoid falling a victim of these frequent hacks.

How to keep your account and passwords secure?

  1. First things first. There are multiple sites out there, encouraging you to create an account with them. Social media sites, e-commerce sites, and many more. And the process of creating accounts is becoming simpler- enter your name, email ID, and a password (a simple one, with no major permutation and combination required) and voila, your account is created. And then what happens? You soon forget all about them. Because seriously speaking neither do you need so many accounts nor do you have the time to use them all? But how does this affect your security? You may ask. It does, because you will be sharing your email ID, you will be re-using the same user name and password in a more important account. Id this first account is hacked, the simple task the hacker has to do is search for your name on Google, see all the accounts in your name, and soon s/he will get lucky. Bottom-line: Create accounts only for what websites that you need, and no matter how lax the security measures they are keeping, you should use a strong password.
  2. If a website looks fishy and is offering you a deal too lucrative, to make an account, please avoid it. If it sounds too good to be true, it probably is.
  3. Start using a password manager. No, not all of them are paid. Yes, some of the best ones are free, so you don’t have to worry about keeping all your login details in a shoddy password manager. Read user reviews, choose one, and then use it.
  4. We read it everywhere, tell others about it, but don’t follow. Use unique passwords for all your accounts. Make them a combination of letters in small and upper case, numbers, and special characters and keep them of appropriate length. Use proper combinations. A password fulfilling all the above criteria, “Hello$1234”, is still a weak password. Use random words or words that make no sense and are in no way related to you.No pet, friends, or siblings name, please. Our lives have become so open on social media today, that guessing one of these is a cakewalk.
  5. When keeping security questions for accounts, especially on banking websites that have this feature, lie. Yup, lie. Why? Let me show you: Best friend’s name- can find on social mediaPet’s name- can find on social media Mother’s maiden name- yup still can find Place of birth- Everyone knows that! These are a few examples, you can answer the rest by yourself. But if you lie, how will you remember them? You can copy them on your PC or phone…NO! Never ever save passwords on any device in plain text, encrypt them, always. But what you can do for the problem at hand is, this: Best friend’s name- how about naming the girl/boy you so hated in school! That must be a secret. Pet’s name- Neighbor’s name can work, right? (Sorry! Am just trying to help)Mother’s maiden name- An actress’s name or surname or place name! Place of birth- Put one of the places you always wanted to visit, but not the one you most like. Random, remember.
  6. Two-factor authentication- use it, please. It helps, keeps your account safe, and in case anyone tries to do mischief with your account, you are notified.
  7. Check your ‘recent activities’ history periodically. Anything out of ordinary, change password, dig deeper, and get it fixed.
  8. Do not click on any suspicious links on your social media network, emails, or download any unknown documents. These can download malware on your devices and monitor all your activities in stealth mode.
  9. Do not share your passwords with anyone. You might share it in good faith, the person might take it in good faith, but might not keep it safe enough. The only way for two people to keep a secret is, if one of them is dead, and the only way to ensure that your password is known only to you, is to never share it with anyone.
  10. Change your passwords regularly. Banks force you to do that, other websites don’t, but it’s important that you do this without anyone twisting your arm to make you do so.

 

web application security banner

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Tags:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.