Help! My Gmail Account Was Hacked! How Do I Clean This Up?

Reader Lisa would like to ask the Consumerist hive mind for advice on cleaning up her recently hacked Gmail account. Here’s her story:

Lisa writes:

My Gmail Account was hacked this morning. I discovered it when I tried to login to check my email around 11:40am and my username/password was rejected. Luckily I had a secondary email tied to my account so I was able to reset my password. Then after I logged in, I found out that a spam email had been sent from my account saying that I was stuck in London and needed money. I also saw that the hacker had changed the “reply to” email address in my account.

The actions I’ve taken so far are:
· Changed my Gmail Account password and security question

· Removed the hackers email from the “reply to” setting

· Updated the passwords on my bank accounts

I admit that I only have 4-5 passwords that I use for all my online accounts. The one for Gmail had been the password that I use most frequently.

I’m looking for advice on what else I need to do to recover from this. Is it enough to have just changed my Gmail password, or should I close that Gmail account and open a new one? (That seems extreme to me, but that’s why I’m asking for help.) I know that ideally I should have more unique passwords for each online account, but I can’t fathom how to keep track of all those passwords. How do other people manage this?

It sounds like you’re on the right track. I poked around our archive and found some password creation and management advice.

Create A Different Password For Every Site And Never Forget A Single One

How To Easily Remember A Different Password For Every Site

So, Consumerist hive mind, Lisa wants your help. Should she keep that Gmail account?

Comments

Edit Your Comment

  1. grucifer says:

    Had this happen to one of my gmail accounts as well.

    Changing the password has solved the problem, also I ran a virus scan on my computer to ensure it wasn’t something on my harddrive.

    So, make sure your anti-virus software is up to date and run a scan.

  2. Miss Dev (The Beer Sherpa) says:

    I agree that you’re taking the right steps. Also, use a unique password for your gmail, and change ALL of your passwords. You could have a keystroke tracker on your computer that captured your passwords. Unlikely, but possible.

    Run a virus scanner and a malware scanner like AdAware or SpyBot.

    If you’re still nervous, you can always have an independent professional come in and do a deep search and cleanse (do NOT go to Geek Squad).

  3. AustinTXProgrammer says:

    Make sure you check all the security questions and such. This happened to my wife with Yahoo and the hacker had left back doors. We also moved to using lastpass and random site specific passwords.

  4. facted says:

    I would recommend a password solution such as lastpass (free, at lastpass.com). It’s been recommended on countless techie websites and basically has extensions that plug in to your web-browser to help you fill out your passwords for you. You only remember one super secure / complicated password and it remembers everything else. It also offers a random password generator which is very useful and your passwords can be accessed from any computer basically. Been using it for a while and find it to be VERY helpful.

    As for your gmail account, no need to close it. You’ve done the right thing in changing the password and the reply-to. I would also send e-mails to the people that had spam email sent to them and just inform them that the e-mail sent from your account was fradulent (just to give them a heads-up).

    • Aurock says:

      I second the suggestion for LastPass. It’s cross platform, cross browser, portable, and incredibly secure. The plugin remembers all of your passwords, and keeps them synchronized with the LastPass servers. Everything is encrypted before it ever leaves your computer, and LastPass doesn’t even know your ‘master’ password, much less all of the individual ones.

      They also have a ‘Security Check’ built in, which is helpful after you’ve been using lastpass for long enough to have it remembering most of your passwords. It will go through and analyze every password for complexity, and check it against other sites to see if you’re reusing passwords. It breaks everything out into a nice report so you can quickly go change the weak passwords. If you use the random password generator, you’ll never end up sharing passwords between sites again. And because lastpass remembers them all for you, and enters them all for you, it doesn’t take any extra work on your part.

      The bulk of it is free, with a few bells and whistles you can get for a buck a month.

    • TonyK says:

      +1

    • webweazel says:

      I agree. I have been using lastpass for just a handful of months, but I do like it immensely. There are quite a few bonuses available with lastpass, so at least look into it. It will definitely help you to use stronger passwords to prevent this type of thing from happening. One of the most dangerous things you can do is have the same password for more than one site. Especially if it’s a short easy one.

      That said, I always write down every single user/password I use on every site in a small address book for looking them up when I need them again. NONE of them are the same. I use the name of the site itself to correlate to which page of the book to use. The more important ones, like banking, etc. are already memorized and written in a code in the book that only I would understand if it was somehow stolen. This book is put into a locked safe when we are away. For lastpass, I only save frequent sign ins, like Consumerist, email, Yahoo groups and the like. (No banking information/financial passwords/credit card info is stored on my computer at ANY TIME.) Doing it in this way helps to keep me secure, and lastpass just helps to make it much easier for me to deal with.

    • dmuth says:

      I too will recommend LastPass. Been using it for a few months now, and I’ve found it quite helpful for managing my passwords.

      It’s also handy for different “roles” I have (I do webhosting for some non-profits) in that I can create different password groups for each role. That way, if I ever step down from one role, I can hand off all the passwords to my successor.

  5. pecan 3.14159265 says:

    Also, erase (and empty the trash) anything that has any sensitive information just in case. Shipping confirmations and such things are great when you need them, but they have your address, full name, etc. and that’s not information you want any stranger to have.

    Scrubbing your email accounts once in a while is a good habit.

    • coffeeculture says:

      +1 here, assume you will be hacked. I key in my SSN, passwords, etc…into the search box to find the emails and fully delete them.

      Don’t forget to scan PDF/Word documents that are attached. I spent a good 6 hours doing this across all my email accounts, worth every minute.

      Even a secure password can be hacked if they’re backdooring it through China.

  6. Hoss says:

    If she’s got a Paypal account, go there right away and change the password. Their site is easy to get $$

  7. fsnuffer says:

    At the bottom of your gmail web page there is an activity page. Keep an eye on it to see if your little friend logs back on. Clicke on the “Details” hyperlink. Also send out an e-mail to all the people he e-mailed telling them you are not stuck in London.

  8. Alvis says:

    MOST importantly, don’t do these repair steps from the computer you were using while hacked. Switch to a linux Live CD until you can sort out how you were hacked in the first place.

    • Mom says:

      It was her gmail account that was hacked. There doesn’t seem to be any evidence of her computer being hacked. She’s probably okay without the live cd.

      • Aurock says:

        Probably, but I think Alvis was suggesting that whoever hacked her Gmail account may have gotten her credentials initially through some kind of malware on her computer. Until you’ve run a good virus & malware scan, you should be careful.

      • aloria says:

        You do realize that your computer being compromised by malware is an extremely commonplace way for someone to get into your gmail account, right? The other very likely way is phishing. Hackers don’t have some magical “hack gmail account” button.

        • GuyGuidoEyesSteveDaveâ„¢ says:

          So they have access to all the info on your computer, and they hack your gmail? I think someone stole the DB off a board she signed up for, and she used the same password there as she uses on her gmail account, which she listed as her contact.

      • There's room to move as a fry cook says:

        Hacked in this case means someone knew her password.

        Top 3 possibilities:
        - it was a short lowercase common word
        - it was phished via a bogus email
        - a bad site or advert on a trusted site installed a keylogger.

    • parrotheadmjb says:

      yea I recommend this, though if you’re using Wi-fi you need to make sure its secured properly (need to check wi-fi either way) a hacker can steal the gmail cookie from an unsecured network, change your settings and never actually know your password

  9. discounteggroll says:

    I woke up today to find my account had been compromised as well. Had to submit a ticket and answer pretty specific questions. One key advice is to not have the telephone # on file with your account the google voice # that you have as well. Because if you’re locked out of your gmail, you’re also gonna be locked out of your GV.

  10. Dover says:

    If the reply-to address was from a reputable service, report this issue to them so they can close that account.

  11. SNForrester says:

    Gmail has an “Email Forwarding” feature that should be checked immediately. Bad guys will put an address there so that they can continue to receive all your email even after you change the password.

    Also, I recommend using one password for all your random low-security logins (like Consumerist – no offense!) and different ones for Gmail, banking, and shopping sites. A handful of passwords should be more manageable.

  12. SomeWhiteGuy says:

    My wife’s gmail was hacked a while back and we changed her password to something more secure than “password” and checked her sent mail for any spam messages. We were lucky. It’s a good idea to keep separate passwords for all your online accounts.
    I’ve begun using https://www.passwordcard.org/en for passwords. It’s a simple card with several passwords on one card. It also makes it easy to remember your passwords with a simple symbol/color combination which helps you remember which password. Also, if you lose the card or someone steals it, they don’t necessarily know your password, only you know the combination.

    I do keep the number that is used to recall the card in a handy spot in case I lose the original.

    Hope this helps.

    • aloria says:

      “Keeping separate passwords for all your accounts” won’t do a lick of good if those accounts use the hacked gmail account for password resets.

  13. liamarbetman says:

    For about $50/year you can upgrade to a google apps account and add an authenticator.

  14. notovny says:

    On the GMail Help Boards, one of the most active volunteers, bkc56, generally reccomends doing all the following things after recovering a lost GMail Account:

    http://knol.google.com/k/the-c-man/how-to-recover-a-hacked-or-compromised/3p9k5zywla4ku/7?pli=1#When_you_reclaim_Your_Account

    If you want to be really sure, you should also assume that the compromiser searched your email for every account mentioned in your GMail account, went to the site, triggered an “I forgot my password” event, and after recieving or resetting those passwords, trashed and permadeleted the resulting email.

  15. shlni says:

    Sometimes it may not necessarily be a hacker, but just a bounce-back (or backscattering) email programmed by spammers. Which did happen to me. I changed my password three times and I still kept getting spam bounce-backs, so no my email wasn’t hacked into. Spammers just obtained my email and used it as a return address. What I did was deleted all my contacts and changed my password and that seemed to do the trick.

    Here’s a related article on the issue: http://www.computerworld.com.au/article/214540/100_e-mail_bouncebacks_ve_been_backscattered_/

    • Mxx says:

      if a spammer just used your email address in the “FROM:” or “REPLY-TO:” field, deleting your contacts or changing your password would not have any affect on that. It was just a coincidence that bounces stopped.
      However, Gmail knows if those bounces are real(ie you sent that message) or fake, and it filters out fake ones.

  16. Mom says:

    You might want to email all of your friends and tell them that you’re not in London, and you don’t need money. This has been going around, and most people know it’s a scam, but your Aunt Edna probably hasn’t heard yet.

  17. MustWarnOthers says:

    Make sure you also check the account activity at the bottom. The hacker may still have sessions of your Gmail account logged in.

    At the bottom where it shows your IP address and activity, click the “Details” link.

    “Last account activity: 2.5 hours ago on this computer. Details”

    This will show you were the account had been logged in, and use the link “Sign out all other sessions”.

    I had some strange email show up, and I didn’t even click the link, I simply opened the email, and immediately it kicked me out of Gmail and then locked the account because it was being opened in Slovakia.

    Once you sign out all other sessions, then reset the password to something extremely secure, check your outbox to see what was sent from your account, check your mail forwarding to make sure your email isn’t being auto-sent somewhere else, and also check your rules/filters to make sure there aren’t any odd ones.

    • PencilSharp says:

      While checking your account activity, look down toward the bottom of the activity log to make sure that Alert preference: is set to “Show an alert for unusual activity.” May not help you now, OP, but it could be a heads-up for you in the future.
      Also, make sure you always log out of Gmail/Reader/Apps/etc when you’re done.

    • Willnet says:

      I got hacked this morning as well. Thanks for the input.

  18. Dhornet7 says:

    Ya I was hacked a few weeks ago and they erased all of my contacts. It really really sucks. I have not been able to retrieve them, so now I have to start over. I love that google sent me a message the next day saying that I may have been hacked, from China. Google, don’t you think its a bit weird that I showed up in China two minutes after I had just logged in. I must fly really fast.

  19. RebekahSue says:

    Google hasn’t been much help with this.

    My mom’s account got hacked. Security passwords changed. Trying to reset everything is like going through a phone tree, just online.

    I’m afraid I’m going to actually have to phone and talk to a person to get the account back. She is very fond of her Google calendar and I think there are a few appointments on there that we need. (She and I could see each other’s accounts, but I can’t see her mammo appointment!)

    • There's room to move as a fry cook says:

      “Google hasn’t been much help with this.”

      It’s free.
      Doesn’t cost you a dime.
      Don’t expect any support.

      • jessjj347 says:

        When they own all of our information, come back and talk to me about how it didn’t cost a dime.

        • jessjj347 says:

          Sorry, didn’t mean to sound snarky…
          I just always have that idea in the back of my head every time I see a new Google service.

      • RebekahSue says:

        Yeah, I know; I say that all the time about Crackbook. It’s not like the AT&T account that also got hit during the hack.

        We’d be happy to let this (two-year established) account go, despite missing email, but we did count on the calendar and I’m sloppy about backups. That’s on me, not on Google.

  20. aloria says:

    Saying “my gmail account was hacked” is misleading. It implies some faceless baddie out there actively targeted your account and broke in. You more likely (unwittingly, obviously) handed over your credentials through some sort of carelessness, such as falling for phishing or installing a trojan. Try to pinpoint exactly how your login got compromised, because changing the password every account that uses that gmail for password resets isn’t going to do you a bit of good if there’s malware on your machine harvesting logins.

    • BuyerOfGoods3 says:

      THANK YOU! I am getting really tired of hearing “hacked” thrown around to mean someone misplacing or giving out their password (or picking up Malware from some pron)

  21. Jezz1226 says:

    A way to remember passwords (especially for lower security sites, I wouldn’t recommend using something like this for a bank account, but for message boards, blogs, things with limited personal information, etc. it works) is to have a set password and then some sort of prefix or suffix based on the website.

    For example your “special code” could be a prefix based on the first three letters of the website (can make this more complicated and secure if you like, just an easy one for examples sake) so your password for Gmail would be “gmapassword”; password for consumerist would be “conpassword”; password for yahoo would be “yahpassword” etc etc. That way you have different passwords for each, but only have to remember your regular password + special code, instead of remembering a completely different password for each site.

    • aloria says:

      That is hardly any more secure than just having the same password. A hacker would take one look at a facebook password of q1s2#ff$$$face, and try q1s2#ff$$$twit for twitter, q1s2#ff$$$gmai for gmail, etc.

      • Jezz1226 says:

        It depends on how secure your “special code” is really (hence the note on how first three letters is a simpified example), a more secure example would be:

        Root password is K23jkj$3, special code is capital third character password second from last character
        Facebook is CK23jk$3o
        Consumerist is NK23jk$3s
        Gmail is AK23jk$3i

        In my opinion thats really not all that obvious as to what your doing, but YMMV

  22. RogalDorn says:

    this is the kind of thing that scares about my android phone and how much it relies on my gmail account for everything. Which is nice but there is also this dark side. All you can do is have a strong password and be careful what you click on.

  23. momtimestwo says:

    Happened to me with Yahoo mail. I wish I could use my WoW Authenticator with all of my accounts that use passwords.

  24. GuyGuidoEyesSteveDaveâ„¢ says:

    I always wonder if this happens because you sign up for a BBS or board/etc…, and the password you use there is the same as one for the email account that you signed up with. That’s why I always use a less secure password for BBS and the such, and make sure it’s different than the password for the email account I use. It’s sometimes simpler to hack into a database and steal hundreds of emails and passwords at once than to hope someone installs a keylogger on their system.

  25. There's room to move as a fry cook says:

    Make sure you have no trojans or keyloggers on your PC’s
    I find running this free combination keeps me clean and catches nasties. MalwareBytes is particularly good. Note- I only run these as needed and not as ‘aways on’. I use Avira for ‘always on’.

    http://www.malwarebytes.org/ (really good)
    http://www.safer-networking.org/index2.html
    http://avira.com
    http://www.superantispyware.com

    I also use ccCleaner to see whats active on my PC – and remove it – http://www.piriform.com/
    Use a firewall to monitor outbound connections – http://www.ZoneAlarm.com

    • RebekahSue says:

      Except for the avira, of which I’d never heard but which I’ll investigate, that’s my weekly formula and I second its use. If my opinion matters, it’s here

    • microcars says:

      This is very useful information if you are running Windows.
      Knowing HOW they got your password is actually pretty important because IF there is a keystroke logger installed on your computer, they are going to get your NEW password too!

      / this info does not apply if you are using a Mac
      // not aware of any remote keystroke loggers in the wild for a Mac

  26. BStu78 says:

    This happened to me recently. No clue how I got hit, but went in and changed all my passwords. Thankfully Google shut down my account after one message went out so there was no real damage. Even the one message wasn’t delivered.

    Except I forgot about Store log-ins and then got dinged at the iTunes store a month later. Thankfully they refunded the charges but it reminded me to update my password anywhere I used my email as a log-in.

  27. benbell says:

    Happened to me a while back.

    I now use a completely unique 10+ char. password with numbers, uppercase, lowercase and a symbol.

    When you think about it, your email is the key to the castle. It should be your most unique and secure password. Most people can gain access to any/all of your other accounts with access to your email.

  28. Razor512 says:

    for random junk sites such as forums or other sites in which security may not be the best, you can use all the same or 1 or 2 different passwords, (no one is really after those accounts anyway)

    For accounts like gmail, paypal and others in this range, make sure each account has a unique password that is at least a mixture of numbers and letters that do not spell out any words but you can remember, also try to keep it above 10 characters long.

  29. VicMatson says:

    Mine got hacked last night, but Google provided me a Captcha to get back in. The whole thing is getting scary because if you have an Android phone you are hosed!

    On the bright side Microsoft just upgraded their security essentials. That must be new because I haven’t seen anyone reporting it yet.

    • Fafaflunkie Plays His World's Smallest Violin For You says:

      Funny how you mention that: I got a popup as I was going through this thread that MSE has an update, and sure enough, it updated. Now Windows update is bugging me. Oh yeah, it’s Patch Tuesday! Isn’t that special! 14 updates and now it wants a reboot. Grrrr…

  30. Bitingback says:

    Hey Lisa,

    I can’t recommend enough that you get some type of password program that stores and GENERATES strong passwords! I use 1Password which is a great program (not free), but have also heard wonderful things about LastPass which is free. There is really no reason to not use programs like these. When you switch to one of these, it is a great time to update all your passwords on other sites with stronger ones so this doesn’t happen to you again.

    Definitely go through your Gmail account and delete through old mail. That means going to the “All Mail” view and emptying your trash can.

  31. psm321 says:

    Make sure you let the people the fake e-mails were sent to know that you’re actually ok :)

  32. jayde_drag0n says:

    change your password to something actually strong? Use letters, numbers, symbols, and capitalization to assure your privacy

    feel free to use a word that you know.. but don’t choose something easy to guess or short
    example the word password can become P@55w0rd

  33. nacoran says:

    Change ALL your passwords. I had an issue with a Hotmail account. The thing is, since I had it linked to a gmail account for password recovery that meant they could look in my settings and find my other email account name, which had the same password. Every account needs it’s own password. Run your virus checker too. Also look through your email to see if you have emails in there with other important sensitive information, like bank account numbers or whatever.

  34. Master Update Exception says:

    Check your filters to ensure there hasn’t been anything set-up to auto-foward to another e-mail address.

  35. pot_roast says:

    I just gave up on gmail. I’ve known even security conscious folks to have their gmail accounts taken over. Gmail is very popular with scammers/spammers because people seem to place a higher level of trust (well, they used to..) in Google/Gmail and also because Google obfuscates header information so it is next to impossible for the end user to take a quick look at where the email came from. At least Yahoo leaves an Origin-IP header in so savvy users can glance at it if the email seems strange.

  36. Foxmom says:

    Gmail’s been hacked a lot in the last year. It happened to me, then a few months ago, my friend and then yesterday to my dh. The hackers themselves are working overtime to get in. Fortunately it hasn’t happened to me again. The steps in that link from notovny should do the trick.