One of the downsides to being away and very busy for a long time, is that you don’t get to read any news online. On December 15th, amidst the frenzy of a very busy time, I received an email by Google, that someone had my password.
At first I was very skeptical about this email. The reason I was skeptical was that it was quite impossible for anyone to have the password of that email account. It was a 15+ digit account. The only way they could have that was if they had installed a keylogger to one of my devices. I mean, come on, how much computing power do you need to crack such a password? Kaspersky says it would take 44 centuries to crack my password with a single pc.
So, the first stage was that of denial. This must be a phishing email.
As I looked at the email closely though, and logged directly into google to check the security incidences, it was beyond doubt that someone had attempted to log into my account, with my password. Lol? “My email was hacked.” I whispered with disbelief in the office. I don’t think anyone believed me, but I couldn’t believe it myself.
Google had prevented the login, so whoever had my password didn’t really get access to the email (?), but I couldn’t login myself now. I had to get back to work really fast, so I just reset my password, created a 25+ digit one and logged myself out of all devices. I wanted to investigate later but I … forgot. I was extremely busy at that time, without a computer and almost no free time, so after changing my password my mind was put at ease and I forgot all about it.
A week after that, when I returned home, I found out about the latest big Yahoo hack but didn’t think much of it. We have become used to Yahoo hacks lately… It turns out, though that this one was different. I checked my yahoo email in haveIbeenpwned.com and it didn’t give any positive results. So, I was certain that my email had not been part of the 1 billion account hack. But maybe I was wrong. Maybe it was just not in the website’s database yet.
On the 24th of December, finally with a bit of peace and quiet, I managed to read more security news and investigate. I logged into my yahoo account and found an email by Yahoo dated on the 15th of December. The email did not explicitly state that my account was involved in the hack, it was only a general email sent to everyone. But the date of that email was the same as when my gmail account was (according to google) hacked, and the gmail account was the recovery account of yahoo.
I did consider that maybe this incident was caused by VPN but I am 99,99999 % sure that I didn’t login via VPN nor tor on any of those days.
Out of all things I have done to protect my emails, there is one that I consider the best opsec practice ever and totally worth the time I invested into doing it:
A couple of months ago, I EMPTIED all my main gmail accounts from emails that dated up to ten years back. I made local backups for the very few emails I needed, and DELETED the rest. Not an easy thing to do, particularly if you have thousands of emails online. But it was totally worth the time. You see, with all the hacks that are occurring on a daily basis in the whole world, there are no guarantees of absolute security. In fact, there are less guarantees for security than we had a few years ago. How can you protect your emails in a world where nobody uses encryption? Of course, this method does not protect you from nation state actors, who probably have access to google itself, but at least it protects you from random hackers.
Was it a real hack? Did they really have my password? What does the gmail email really mean? Was there a relation between the yahoo and gmail hack? I did have completely different and strong passwords for both. Questions that remain unanswered and will probably remain unanswered for ever.
After messing with my email settings for some time, I think I have solved the mystery. No one has my passwords… Here is why we should not believe Google and why a coincidence is not proof enough of a hack…
I have pop 3 retrieval activated on my emails. Several gmail accounts are being retrieved by a single account. That means that the primary gmail account needs to retrieve login information from the other accounts, each time it checks for new emails. So where is google when it checks for these emails? Apparently, in the US. Apparently, google detected its own activity as suspicious.
Why am I so certain about this? Well, I just deactivated access from insecure devices but didn’t know that included pop3. As I tried to retrieve pop3 from the primary account, I received another google email telling me that they blocked a log in attempt by a blocked device. The IP was from the US. The truth is that this incident is not listed in the security incidents list.
The fact that the IP of MY login attempt is listed as a US one though, makes me think that it is very likely there was a glitch in the pop 3 retrieval that led to the google “Someone has your password” incident. Nobody can have my password, unless they have come back from the future. 44 Centuries..