Someone has your password Google

‘Someone Has Your Password’ Phishing Scam Emails

Inboxes are currently being hit by emails that claim that “someone has your password”.

The emails, which have the word “google” in the sender field, warn that access to your account will be suspended if you do not reply within 24 hours.

However, the emails are certainly not from Google and the claim that your email account will be suspended if you don’t reply is a lie.

In fact, the emails are crude phishing scams designed to trick vulnerable users into sending their account login credentials and other sensitive personal information to online criminals.

Here’s an example of one of the scam emails:

From: g o o g l e
Subject: Someone has your password
It is required that you reply within the next 24 hours, We will suspend access to your account if we don’t recieve your reply with in the given time frame, We would appreciate your immediate attention to this matter

If you reply as instructed, you will likely receive a follow-up message that asks you to send your password as a means of verifying your account. The email may also ask for other identifying personal information, ostensibly as part of an account validation process.
If you comply by sending the requested information, the criminals can then use your credentials to hijack your email account and any other linked services that use the same login.

Moreover, once the criminals have you on the hook, they may send further messages that demand that you hand over even more of your personal and financial information. The criminals may use this information to steal your identity.

Keep in mind that no legitimate email service provider will ever ask you to send sensitive information such as account passwords by replying to an email. Any such request should be treated with immediate suspicion.

If you receive one of these emails, do not reply and do not open any links or attachments that it may contain.

Gmail spam mystery: Before you change your password, read this

Is Gmail sending spam from your account?

There’s something weird afoot in the world of Gmail. As widely reported earlier — first by Mashable, then by our sister sites ZDNet and TechRepublic — some people have noticed spam messages in their Gmail Sent folders.

That can only mean one thing, right? Those accounts have been compromised, meaning a password change is in order, stat.

Here’s the thing: The spam problem appears to persist for some, even after a password change (as reported on the Gmail help forums).

To make matters worse, having two-factor authentication (aka 2FA) turned on doesn’t seem to be helping, either. According to the ZDNet story, “The mystery spam appearing in Sent folders has also been happening on accounts with two-factor authentication enabled.”

CNET has reached out to Google for comment on this issue, but has yet to receive a response. (We’ll update the post if we receive one.)

So what’s going on here, and what can you do about it?

Who’s affected?

According to a statement that Google provided to Mashable, the company is “aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it.”

Check your Sent folder

To see if your account has been “sending” spam, head to the Sent folder and look for suspicious messages — anything that wasn’t sent by you or looks to be blatant advertising. (One user reported subject lines referring to weight-loss and growth supplements.)

Don’t see anything out of the ordinary? You’re probably fine.

See some spammy messages with you listed as the sender? You can report those messages as spam with a few clicks, and they’ll be banished to the correct folder.

But here’s the thing: Even if you do see spammy messages listed as coming from your address, you may well be fine anyway. Faking email headers is so simple for spammers, your account may never actually have been compromised to begin with.

To that end, the presence of the messages in your “sent” folder may be more a database glitch on Gmail’s part, where the system is mistakenly routing it to the “sent” folder instead of the “spam” folder. To that end, in that same statement referenced above, Google tells Mashable that its engineers have “identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident.”

I’m still freaked out. What else can I do?

Well, the good news is that this may have finally scared you straight on email security. The first and best thing you can do is…

Enable two-factor authentication: If you haven’t already done this, you should. Two-factor authentication prevents anyone from accessing your Google/Gmail account unless they’re able to supply a secondary password — one that’s generated in real-time and delivered to your phone.

CNET’s Matt Elliott tells you everything you need to know about setting up Google’s two-factor authentication, so I won’t repeat it here. I will recommend that you read Matt’s other article about using something other than text-messaging for that authentication. He recommends Google Prompt, which is available for both Android and iOS.

Make sure no dodgy apps have permissions to access your Gmail account: The same thing people have been doing on their Facebook account, post-Cambridge Analytica, applies here: . Expanding each one will list the vendor and the day access was granted. And even doublecheck ones with familiar names: Many Google Docs users were the victims of a sophisticated phishing scam almost exactly a year ago that used spoofed names to gain access.

This is a legit app, and the date lines up with when we authorized it to be linked to our Google account.

CNET

Check for mystery browser extensions: Same as above. If you find any strange extensions you don’t recognize, it won’t hurt to uninstall them. They may be bad actors.

Use a password manager: Using a password manager is the easiest way to maintain secure passwords on any and all sites. Find the best password manager options here.

Change your password anyway: To reiterate: It appears this Gmail-spam thing is just a glitch and not some kind of hack, and people who have already changed their password were still seeing the issue. As a result, we do not recommend changing your Gmail password to address this issue.

But, if you insist: The fastest, easiest way to do that is to visit Google’s password change page. If you’re using your phone or tablet, you’ll have to open a browser. You can’t change passwords from within a Google or Gmail app.

Also, needless to say, if you already have 2FA set up for your account, be prepared to jump through that second “factor” hoop before you can complete the password-change process.

Have you encountered any unexpected spam in your Gmail Sent folder? If so, tell us about it, and what steps you’ve taken (if any).

I think someone I know has hacked my Gmail account. What should I do? Valeria

This is a relatively common question. Other recent examples include “Someone is using my Gmail account to steal my data on a game. How do I get rid of him?” from Rodimus Ghost, and “My daughter is using my Gmail account. How do I stop her?” I don’t recall getting these queries about other email services.

My usual response is: “How do you know?”

There might be emails in the Sent Mail folder that you didn’t write, though hackers can cover their tracks by deleting copies of sent emails. However, incoming emails are not an indicator. I’ve had emails from Instagram, GoCompare, Barclaycard Business, Apple, Prattville YMCA and many other organisations where people have entered my Gmail address, probably by mistake. It doesn’t mean they have accessed my account.

The best way to tell if someone else has used our account is to scroll down the Gmail inbox and look for “Last account activity” in the bottom right. Clicking on Details produces a nice table that shows how someone accessed the account (browser, mobile, POP3 etc), their IP address, and the date and time. You should recognise any sessions that aren’t yours.

In fact, Gmail will, by default, notify you of any unusual activity. You may get an alert if you log on with a new device or from a different country. These alerts can be annoying but they increase your security. Don’t turn them off.

You can also check the Recently used devices page, which lists all the PCs, phones and tablets used in the previous 28 days. Again, it should be obvious if any of them are not yours.

Double-check Settings

There are simple ways to read someone else’s emails without leaving obvious traces. These are controlled from Gmail’s Settings, which you can find by clicking the cogwheel in the top right.

On the Settings page, click Accounts and Import and go to the penultimate entry: “Grant access to your account”. Someone could click “Add an email account”, enter another Gmail address, and access your emails from that account. They can keep these emails marked as Unread even if they’ve read them.

Next, click Forwarding and POP/IMAP and review the top section on mail forwarding.

Email services allow users to forward all incoming emails to another email address, and I think everyone should do this. I have Gmail forward all my emails to my account at Microsoft’s Outlook.com. As a result, I can still read and reply to emails even if Gmail is inaccessible. Further, if Gmail locked me out, I’d still have copies of emails going back to April 2004.

Locked out of your account? All might not be lost. Photograph: Graham Turner/The Guardian

So, if you can access someone’s mailbox, you can set up mail forwarding to an address that you control, and they’ll probably never notice. Make sure nobody has done that to you.

If you only read Gmail in a web browser, you could also disable the POP and IMAP access features. This would provide a small increase in security, but I don’t recommend it. In fact, there are advantages to using a PC email program such as Microsoft Outlook, Thunderbird or eM Client to collect Gmail using the IMAP protocol. These programs have more features than the web version of Gmail, and they store emails on your PC so that you can easily access them offline. IMAP leaves the original emails online, so you can still access them using different devices. (Yes, you can also install “Gmail Offline” via the Offline tab.)

Remember to save any changes before switching tabs.

Password security

Once you are sure your mailbox is not being hacked, change your password to keep other people out.

In Gmail, go back to Accounts and Import and click “Change password”.

Choose a strong password or passphrase that includes numbers and upper-case characters. Gmail requires at least eight characters, but aim for 12 or 16 or even more. Longer is better. It won’t be random, unless you use a password manager, but avoid family names, names of pets, birthdays, sports teams and other obvious elements.

For convenience, your browser or email program can remember your password. If you allow this, your email is only as secure as your PC. Anyone who can access your PC can access your email.

Nowadays, of course, the simplest way to hack someone’s email is to use a phishing attack. In this case, someone sends you a link in an email that pretends to come from Google. Clicking the link opens a browser tab where “Google” asks you to log in with your email address and password. The attacker harvests the results.

If you’re going to leave your PC unattended or fall for a phishing attack, it doesn’t matter how strong your password is.

Do the two-step

If someone can access your Gmail account, they can change your password and lock you out. You can prevent this by using “two-step verification”. With Gmail, this usually means Google will text a code to your mobile phone. This is fine until you don’t have a signal or lose your phone. Gmail therefore asks for a back-up phone number. (Landlines work: you get a voice message.) Gmail also allows you to print out a small set of verification numbers that you can use when travelling.

Google’s two-step notification on Android Photograph: Samuel Gibbs/The Guardian

Google provides an alternative to SMS in the form of Google Authenticator, a free app for Google Android devices and Apple iPhones and iPads.

You can also simplify two-step verification slightly by using “application specific passwords”. For example, if you access Gmail via a smartphone app or an email client that can’t handle two-step verification, you can request a separate password for each email program on each device. It only has to be entered once.

To use these extra security features in Gmail, go to Accounts and Import, click “Other Google Account settings” and then “Sign-in & security”. This provides access to password changes, two-step verification, and account recovery options.

Account recovery

What if your password stops working and you can’t get into Gmail? The traditional approach to account recovery is to ask for some personal information, such as your mother’s maiden name. This enabled people to hack email accounts by using information gleaned from social media accounts. You can prevent this by using random letters or something obscurely incorrect – “Mother’s maiden name: Quetzalcoatl” – but then you have to remember the answers.

Google’s recovery options include a phone number, another email address and a security question. It also likes to ask when the account was opened and when you last used it.

You may be able to find out when you created your Gmail account by searching for (in my case) before: 2004/04/15, or any date in YYYY/MM/DD order. That won’t work if you deleted your welcome message, but vary the date to find the oldest message you can.

Account recovery is the only way to get your Gmail back if you forget your password or a hacker changes it. But it doesn’t always work, and you may be told that “You weren’t signed in because Google couldn’t confirm that [email protected] belongs to you.”

Then – as another reader, Paul, found earlier this year – you end up in a “failed online recovery loop. No contact centre. No online chat. No contact details at all.” It looks as if there’s nothing you can do except open a new account, change all your online passwords and email addresses, and hope nothing bad happens.

Have you got a question? Email it to [email protected]

How do I recover my Google account (or Gmail) password or username?

I have forgotten my password, but my browser remembers it

If your browser remembers your password (that is, the password field is automatically populated when you log in to your Google account, and you’re able to log in), you should be able to retrieve your password through your browser’s password manager.

See the instructions for your browser:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Internet Explorer
  • Opera

I have forgotten the password for my private Google (Gmail) account

  1. Visit Google’s Account Recovery page;
  2. Select the I don’t know my password option;
  3. Follow the instructions shown.

I have forgotten the username / email address for my private Google (Gmail) account

  1. Visit Google’s Account Recovery page;
  2. Select the I don’t know my username option;
  3. Follow the instructions shown.

In order to recover your Google username using this form, you must already have specified a recovery email address or recovery phone number.

If you haven’t specified any recovery information, you may still be able to find your username if you have fairly recently accessed your email account through a browser. Gmail displays your email address in the browser’s title bar, so searching your browser’s history for Inbox or Gmail might reveal your email address.

I have forgotten the username / email address / password for my work Google account (Google Apps)

If you have an account on the Google Apps for Business service, you may still use the method described above. If this proves unfruitful, contact the administrator for your domain, who will be able to reset your password and/or find your username.

I have forgotten the admin username / email address for a Google Apps for a Business account that I manage

First, try the methods described above. If this is unsuccessful, you may still reset the admin password by domain verification.

I have forgotten my username / email address / password, but I have a desktop / smartphone email client that still can fetch mail from my account

If you have already set up an email client to fetch mail from your account, you might be able to extract the username / password from that client.

Instructions on how to do that will vary depending on which client you use. Here are links to instructions for some of the most common clients:

  • Mac OS X Mail
  • Outlook Express
  • Eudora, FoxMail, The Bat!

I have no access to my recovery email, phone, or any other option

You may still be able to restore access to your account by manually verifying your identity.

  1. Go to the Google Account Recovery page
  2. Enter your email address and click Continue.
  3. If you are asked to enter the last password you remember, click I don’t know.
  4. Click Verify your identity which is located under all of the other options. (It is a small link.)

You will then be asked a series of questions which you must answer to the best of your ability. If you can provide enough accurate information, you will get your account back.

How do I prevent losing access to my account in the future?

See How do I protect my Google/Gmail account?

Google® Account Recovery Help and How to Recover Gmail® Password

Recover Google® account, find out how to recover Gmail® password – Tips and Hints

Tip #1: Google® is pretty good at providing its users with the ways to recover their data, Gmail® password recovery is a breeze if you provided enough security information during account registration.

The first thing you want to try is Google’s Account Recovery page. Choose the “I don’t know my password” option and enter your Gmail® address, click on Continue.

If you linked a phone number to your Gmail® account, you can request a verification code sent in a text message or you can answer security questions under “Verify your identity” section.

Tip #2: If you forgot your email address and haven’t set up any recovery information such as a phone number or security questions, you may still be able to find your username in case you have recently used your email account in your web browser. Search your web browser history for Inbox or Gmail® to see if it reveals your address. Technically, your full email address or the first part of it before the @ character is your username.

Tip #3: In case you don’t have access to your recovery email, phone, or other option you may still be able to recover Gmail® password by manually verifying your identity. First thing you need to do is visit the Google Account Recovery page. When there, enter your email address and click “Continue”. Click “I don’t know” option for the password and choose the “Verify your identity” option, which is a really small link under all other available options. Answer all the questions to the best of your knowledge and if you are able to provide the information that is accurate enough you’ll get a successful Google account recovery.

Tip #4: With work Google® accounts, G Suite® or Google Apps®, it may be easier to reinstate your account access, as you can always contact the administrator of your domain to reset your password and get your account back.

Tip #5: Protect your data today. The best Google® account recovery method is naturally never losing any data. So how to ensure a 100% Gmail® recovery? We suggest using data protection and recovery solutions that can keep track on your file operations and can recover accidentally deleted data. Disk Drill is a brilliant recovery app that offers free protection for all your password manager files, external and internal data storages. Let us stress this – protection and recovering protected data is free with Disk Drill for Mac! While Disk Drill cannot recover your Gmail® password directly, it may help in recovering your password storage in case it was unexpectedly lost.

Disk Drill takes care of your disk health, monitors it closely and will warn you if there is a possibility of any disk failure. It lets you find duplicate files, clean some disk space and offers reliable backups. Additionally to Gmail® recovery you can benefit from laptops and desktops, iPhone/iPad/iPod®, Digital cameras, internal & external hard drives, USB flash drives, and Android® devices (rooted) recovery.

Google®, Gmail®, G Suite®, Google Apps®, Android® and the Google Logo are registered trademarks of Google Inc. iPhone®, iPad® and iPod® are registered trademarks of Apple Inc. Disk Drill® is a registered trademark of 508 Software, LLC.

Illustration: Tech 911Tech 911Do you have a tech question keeping you up at night? We’d love to answer it! Email [email protected] with “Tech 911” in the subject line.

We all forget passwords sometimes. It happens. If you use a password manager, this shouldn’t be a problem at all—in fact, I’m expecting you will not be able to remember your long and complicated passwords. I sure don’t. But there are plenty of people who don’t use password managers, and this means that they run the risk of losing access to older accounts if their passwords (and backup methods) fail.

That’s exactly the scenario that Lifehacker reader Rebecca sent our way. She writes:

“I’ve been locked out of my google account for at least 2-3 years now but its still connected to my yahoo mail box so i can still send and receive emails from it through my yahoo link but i have several things in my google drive id like back. I don’t remember my password and i dont have my old phone number any more can you help me”

Advertisement

Well, I’m relieved that you can still somewhat access your Google account, albeit not in the way that you were hoping to do. This problem is a bit perplexing at first, but let’s walk through your options.

First, I’m going assume that you don’t know your Google account’s password. All roads lead to Google’s Account Recovery tool even if you don’t know the Gmail address associated with the account, but that’s going to make it even trickier for you to recover your account. For example, you’ll have to first provide information you might not even know, since you would have already probably used either option to recover your account in the first place:

Screenshot: David Murphy

Input your phone number, and ideally your name, and Google will fire off a text message to that number to verify that you are you. This doesn’t help in your case, though, since you don’t have access to that old number. And if you remembered your recovery email, it’s the same deal; Google would fire off a verification message to that, and you would begin the account recovery process that way.

Screenshot: David Murphy Advertisement

The problem? This is all just to help you remember what your Google account was. You’ll still have to go through the password-reset process, which might prove problematic. Here’s what I mean. You’ll start by entering your email address (since you no longer have access to your phone number):

Screenshot: David Murphy Advertisement

You’ll have to enter your name, which should be easy enough, and then you’ll enter your email address (that you can check from Yahoo). You’ll get a verification code that you’ll then have to type into the account-recovery process, just as before.

In my case, I was then asked to enter my password—which I don’t know, and indicated as such. Google then asked me to enter the last password I ever knew for that account. I’m assuming you don’t know that either. (I wouldn’t.) If so, you’ll have to click “Try another way,” and in my case, Google then peppered me with other questions, like asking for the first phone number I ever associated with the account, the month and year I created my account, et cetera.

Advertisement

Is this process cumbersome? Absolutely. Unfortunately, it’s the best you can do; Google provides no additional support beyond its Account Recovery tool, no matter how many separate articles you’ve read about people finding some magic customer service number (like what they get if they sign up for a Google One plan, for example) that they can call for additional help. Don’t bother. If the tool can’t fix it, then it cannot be fixed.

I wish this wasn’t the case, but I sort-of get Google’s point in being strict about this. It’s a security thing. If everything its recovery tool asks you still isn’t enough to prove that you actually own the account in question, a tearful story over the phone shouldn’t convince Google to let you in. What’s to stop another person from coming up with some clever way to convince a customer support agent that they are really you (and should be let into your account)?

Advertisement

Anyway, I’m hoping that Google’s tool is enough to get you in. If not, you’re stuck. I’d keep thinking for ways to verify you are you—perhaps, for example, one of your very first Gmail messages is somewhere in your Yahoo inbox, and that can help you figure out when you started the account (to answer a verification question). Maybe you’ve used your old Gmail password on another service, and going through some of your common passwords you use everywhere—if that’s a thing you do—could help get you into your Google account.

Screenshot: David Murphy Advertisement

If, or when, you get in, I recommend hitting up your account settings and setting up a new recovery phone number and email address—and change your security question, in case you forgot that too. And stay on top of this in the years that follow; the last thing you’ll want to do is fight to get back into your Google account again if your recovery information is out of date. Also, consider using a password manager to store all of your login information for you, so you never have to worry about forgetting ever again.

Do you have a tech question keeping you up at night? Tired of troubleshooting your Windows or Mac? Looking for advice on apps, browser extensions, or utilities to accomplish a particular task? Let us know! Tell us in the comments below or email [email protected]

Advertisement