How to stop your Gmail account being hacked

Filed Under: Data loss, Google, Malware, Mobile, Privacy

GmailAs has been widely reported, high profile users of Gmail - including US government officials, reporters and political activists - have had their email accounts hacked.

This wasn't a sophisticated attack against Google's systems, but rather a cleverly-crafted HTML email which pointed to a Gmail phishing page.

Victims would believe that they had been sent an attachment, click on the link, and be greeted by what appeared to be Gmail's login screen. Before you knew it, your Gmail username and password could be in the hands of unauthorised parties.

So, what steps should you take to reduce the chances of your Gmail account being hacked?

  1. Set up Two step verification
  2. Check if your Gmail messages are being forwarded without your permission
  3. Where is your Gmail account being accessed from?
  4. Choose a unique, hard-to-crack password
  5. Secure your computer
  6. Why are you using Gmail anyway?

1. Set up Two step verification

The hackers who broke into high profile Gmail accounts grabbed usernames and passwords. So, an obvious thing to do would be to make Gmail require an extra piece of information before allowing anybody to access your account.

Google provides a facility called "two step verification" to Gmail users, which provides that extra layer of security. It requires you to be able to access your mobile phone when you sign into your email account - as they will be sending you a magic "verification" number via SMS.

The advantage of this approach - which is similar to that done by many online banks - is that even if cybercriminals manage to steal your username and password, they won't know what your magic number is because they don't have your phone.

Google has made two step verification easy to set up.

Setting up 2 step verification

Once you're set up, the next time you try to log into Gmail you'll be asked for your magic number after entering your username and password. Your mobile phone should receive an SMS text message from Google containing your verification number.

Mobile phone receives verification number

Let's just hope the bad guys don't have access to your mobile phone too..

Here's a video from Google where they explain two step verification in greater detail:

You can also learn more about two step verification on Google's website.

By the way, note that two step verification doesn't mean that your Gmail can't ever be snooped on by remote hackers. They could, for instance, install spyware onto your computer which could monitor everything that appears on your screen. But it's certainly a good additional level of security for your Gmail account, and one which will make life much more difficult for any cybercriminal who might be targeting you.

2. Check if your Gmail messages are being forwarded without your permission

Gmail gives you the ability to forward your emails to another email address. There are situations where this might be handy, of course, but it can also be used by hackers to secretly read the messages you receive.

Go into your Gmail account settings, and select the "Forwarding and POP/IMAP" tab.

If your emails are being forwarded to another address, then you will see something like the following:

Gmail forwarding

That's fine if you authorised for your emails to be forwarded to that email address, but a bad thing if you didn't.

If your messages are not being forwarded you will see a screen more like this:

Gmail forwarding

Hackers want to break into your account not just to see what email you've received up until their break-in. Ideally, they would like to have ongoing access to your email, even if you change your password or enable two step verification. That's why it's so important to check that no-one has sneakily asked for all of your email to be forwarded to them.

In a similar vein, you had best ensure that no-one has unexpectedly been authorised to read and send email from your account.

Gmail delegation

Check that no-one unexpected is listed under the "Grant access to your account" option (found under "Accounts and Import" in Gmail's settings).

Even if you have granted permission for someone else to access your Gmail account, your security is now only as strong as that person's account security.

3. Where is your Gmail account being accessed from?

At the bottom of each webpage on Gmail, you'll see some small print which describes your last account activity. This is available to help you spy if someone has been accessing your account at unusual times of day (for instance, when you haven't been using your computer) or from a different location.

Last account activity

Clicking on the "Details" option will take you to a webpage describing the type of access and the IP address of the computer which logged your email account. Although some of this data may appear nerdy, it can be a helpful heads-up - especially if you spot a computer from another country has been accessing your email.

IP addresses of computers accessing Gmail account

4. Choose a unique, hard-to-crack password

As we've explained before, you should never use the same username and password on multiple websites. It's like having a skeleton key which opens every door - if they grab your password in one place they can try it in many other places.

Also, you should ensure that your password is not a dictionary word, and is suitably complex that it's hard to break with a dictionary attack.

Here's a video which explains how to choose a strong password, which is easy to remember but still hard to crack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Don't delay, be sensible and make your passwords more secure today

And once you've chosen a safer password - keep it safe! That means, don't share it with anyone else and be very careful that you're typing it into the real Gmail login screen, not a phishing site.

5. Secure your computer

Secure PCIt should go without saying, but this list would be unfinished without it. You need to properly secure your computer with up-to-date anti-virus software, security patches and so forth. If you don't, you're risking hackers planting malicious code on your computer which could spy upon you and, of course, your email.

You always want to be certain that your computer is in a decent state of health before you log into a sensitive online account, such as your email or bank account. That's one of the reasons why I would always be very nervous about using a computer in a cybercafe or hotel lobby. You simply don't know what state the computer is in, and who might have been using it before.

6. Why are you using Gmail anyway?

Okay, I don't really mean that. But I do mean, why are you storing sensitive information in your Gmail account?

The news headlines claim that senior US political and military officials were being targeted by the hackers. Surely if they had confidential or sensitive data they shouldn't have that in their webmail account? Shouldn't that be on secure government and military systems instead?

Always think about the data you might be putting on your web email account - because if it's only protected by a username and password that may actually be less security than your regular work email system provides.

, , , , , , , , , ,

You might like

41 Responses to How to stop your Gmail account being hacked

  1. Noah · 1183 days ago

    A great list!

    • Guestin · 129 days ago

      My Gmail account(s) were for personal things or stupid stuff, not anything important. Then I kept creating new gmail accounts, the first only to capture a recovery through that one or a Yahoo account. The yoohoo account password was stolen too, and that also was personal. After 7 hours u just have to give up trying. Cross recovery of id verification for access to personal emails is just a bust and waste of time, if passwords were taken, so folks don't waste your time. FYI

  2. A very well written article. I am glad that you mentioned a very important but often neglected point that is number 3. "Where is your Gmail account being accessed from?". Almost every email service provider provides this information every time you log on to your email account but users often don’t pay attention to it. In my opinion if you properly keep track of this then it make compromise detection a very easy step.

  3. Trevor · 1183 days ago

    Am I supposed to go out and buy a cell phone just so I can access Gmail?

    • Lynn · 1183 days ago

      No, you can receive it by a voice call as well. If you look at the picture at that step it does mention SMS or voice call.

    • Johann · 1183 days ago

      In the screenshot for step one, it shows that you can set up a mobile or landline number.

      • Mmail · 1090 days ago

        My 2 step is set up but now I receive constant phone calls every ten minutes as someone is trying to access my account. Its driving me nuts.

        • Hopefully it isn't the "constant phone calls" part. Change your password to something more secure (I suggest using Lastpass/Keepass to create and store the password).

  4. another name · 1183 days ago

    Re 6 - you might not mean it but it was my first response when I heard the non-news item. If they're witless enough to put sensitive information in a google email account and then fall for phishing email then they probably shouldn't be in office, and certainly shouldn't be in office and allowed to use anything more complicated than a calculator.

  5. KateKatV · 1183 days ago

    Great, thank you. Re #6 - yes, exactly what I thought when I first read about this. Surely anyone who has sensitive information would also have an account with their employer or client? And any organisation which does not require employees or contractors to handle sensitive information only through its own system, and doesn't employ a red-hot IT team to help protect the integrity of that system, needs its corporate head examined. I'm a uni lecturer, and its university policy that students only use their uni email accounts for official communications, and we return any students' emails that aren't and tell them to resend. This isn't technology, this is having procedures and following them. If first-year undergrads can do it ...

    • IT professional · 1084 days ago

      Anyone describing themselves as "a 'uni' lecturer" shouldn't be employed by a university. At least, not any proper university.

      Most universities don't employ "red-hot IT teams". They don't pay enough and are too "head-in-the-clouds" to be bothered. "Red-hot" (presumably this is intended to mean competent, in university terms) IT people work in the private sector where the expertise, expectation, salary and potential for substantial technical challenges are much higher.

      (N.B. I'm not referring to academics who specialise in security, but to the usual, run-of-the-mill IT departments, in university-like organisations, who do not work in the same realm as people who really understand security).

      Given the above, there are plenty of reasons to use systems provided by commercial organisations with *real* IT expertise in preference to the in-house set-ups, which wouldn't even metaphorically register at the low end of the metaphorical radar that large, commercial enterprises inhabit.

      • Anti-academic rant · 598 days ago

        'Uni' is a long standing and accepted term in much of the native English speaking world, including in the place where the English language developed.

        You need to take an anti-pomposity pill and then another that clears the head enough to realise there is a big wide world out there that doesn't always agree with you.

  6. Ian · 1183 days ago

    Do I trust Google with my mobile phone number? Hmmm....

  7. John · 1183 days ago

    Great article, Graham! Very helpful. I also shared it with my friends on Facebook and Twitter.

    I have now implemented 2-step verification, which I didn't even know existed. My forwarding was not fiddled with. My password is pretty decent. I saw no suspicious access activity on my account. I run Ubuntu Linux, which helps with the malware issue. Happy camper :-) Thanks for writing this!

    • A Reader · 1084 days ago

      Running Linux +5.

      Giving Google more personal information to use for its own ends -20.

  8. Trevor · 1182 days ago

    We use GMail for Business. It's a great solution for a non-profit where paid staff are often roaming the world and using different machines to access mail and schedules.

    So there's sometimes very good reason to use GMail or similar.

    Which leads me to say great post. I shall be forwarding it on to colleagues...and making my next step, 'Configure this Domain' to switch on 2-step for all accounts!

    Trevor

  9. MAC POWERPC · 1182 days ago

    Thanks for sharing! It's very important information.

  10. Deborah · 1182 days ago

    Is this only a Gmail problem?? I am not giving my cell phone number to anyone outside my family except one or two very close friends. Cell numbers are constantly misused and sold to third parties. I don't trust ANYBODY! If this is a problem on Gmail only I think it's time to get another e-mail address, especially because I constantly get error messages lately and Gmail is very slow lately.

  11. JH Acctemail · 1181 days ago

    Would have been more helpful if you had EXPLICITLY described how to get to account settings!!! Who could believe that account settings is behind a gear!!!!!!!!!!!!!!!
    You tech guys assume TOO MUCH knowledge.
    Most computer pages and instructions are NIGHTMARES!!!!!!!!!!

  12. Chkm8 · 1162 days ago

    Y Mail and G mail are great tools for travelers and they would be really difficult to replace. I have been on Y for 13 years and G since it started between the 2 you are secure if you use cautions and adding the Cell really adds security if you use it. I keeps years of mail so I have it were I am

  13. Neha · 1142 days ago

    My email is constantly being logged on on from America (I am in Australia)

    Who should I contact to stop this from happening?

    I keep changing my password but every few weeks it keeps happening.

    Thanks for your help,

    Neha

  14. Janet · 1142 days ago

    Thank you very much for this article. I found it educational and helpful. Now I don't think I have been hacked I think someone maybe just used my e-mail address when signing up for a site.

  15. Binh Quang · 1120 days ago

    My Gmail got hacked and they deleted about 2 months worth of mail. How do I noticefy to Gmail so they can give me a backup copy? Thanks

  16. Santosh · 1118 days ago

    yes,I accept it.Thanks for good suggestions.It will help us in username and passward security.

  17. john · 1117 days ago

    was in china. never knew such a corrupted place Computers and e-mail are all hacked.Passwords are all stolen. Property stolen. You are in more trouble if you go to police to complain. Now back in US, but do not know how to clean all the damage they have created-- I am changing passwords, running norton for spywares. What else I can do?

  18. Jimmy · 1030 days ago

    OK I now have two-step verication set up. Now when I try to access my gmail account I get a message that the server refuses to allow me to access my mail and gives me a popup with my login name and password already filled in. There is no place to enter the "Magic" number provided at the beginning of this fiasco! Now what?

  19. pam · 1013 days ago

    Changing passwords is a joke. Do you know how many free-download programs there are to decipher those ***** in your password?

    Isn't it time all the sites giving 'changing passwords' as a solution got their act together?

    I'm being cyber stalked as well as hacked, so my friend HJK will be along soon to read this.

  20. radhika · 960 days ago

    great information..thanks
    i want to know: while working on networking computers, somebody is accessing my gmail account. i work on linux. can u help me out to stop this kind of sharing of my gmail or any other account with somebody else while working on networking systems.

  21. @ graham · 926 days ago

    I just freaking keeeeeeep changing my passwords twice or thrice a week. But still my parents know what i am upto. i am not a dork. but yet, i do not know how my activities are getting leaked to ma mum. so yeah can you PULEEEEZ advice???

  22. steelwool · 903 days ago

    From facebook which I am NOT on - I am receiving vulgar msg's and pictures. Who can this be reported to? I want it stopped.

  23. Adam · 835 days ago

    Get a yubikey from yubico.com and secure your gmail with a OTP (One Time Password) similar to the feature used by your phone.

  24. nevgi · 801 days ago

    my two gmail accounts were hacked twice even with the stupid verification process. I quit gmail!Its not safe at all

  25. Zot · 777 days ago

    Under #3, it says:

    "At the bottom of each webpage on Gmail, you'll see some small print which describes your last account activity."

    What does "each webpage on Gmail" mean? If I go to gmail.com I am redirected to mail.google.com, and I cannot find any page these with this info.
    Please explain.

    Best regards,
    Zot

  26. robert livesey · 622 days ago

    i use gmail only on android phone and there is no area to select to use password to logon. the gmail is always open and i have had delays of three days before i get the gmail. i know the account security has been comprimised but i think there should be an avenue to keep the gmail locked and then logon when new mail is received.

  27. whydoubt · 582 days ago

    A version of the secret email is to create a (Gmail, or any other) with the longest randomly generated name permitted - i.e. ernwr24o4tgi94jnbrgn44m4aqaaz98n@gmail, with as strong a password as you feel is necessary; then, only use it for contacting your major banks, brokers etc. This is likely immune to spoofing, which guesses emails via other sources. It has no semblance to names, etc. that can be guessed, and if you don't link it to other addresses it should be solid. Still, the 2-step process would make it better anyway.

  28. Kala · 499 days ago

    Help me im only 13 and my gmail acount was hacked by my best mate!! (he knoes my username and password becouse he seted it up for me) it happend like five minutes ago!!!! Tomoz at school im gonna confront him!!!!!! I really dunno what to do. The dodgy thing is he said to me that he can hack face book and itunes!!!!! HEEEEEEEEEEEEELLLLLLLLLLLLLLLLLLLLPPPPPPPPPPPPPPPPPPPPPP MMMMMMMMMMMMMMMMMMMMMMMMMEEEEEEEEEEEEEEEEEEEEEEEEEE!!!!!! PLZ

  29. LippyMe · 276 days ago

    My 2 teenagers use gmail and they've received notices that someone outside of the US is trying to log in to their account. They've changed their password each time, but there has to be a better solution. They don't have a work email account, so that's not an option. I've made sure their iphones and Macs are secure, but they use ipads all day at school and the security settings are the factory defaults. Since it started at the beginning of the school year, could the problem be with the school? Their email is connected to their NetClassroom account and they get lots of push notifications from IT and teachers to install apps. The school says the wi-fi access is limited to approved school sites, but the kids have figured a way around it. Suggestions anyone?

  30. Stan Dur · 192 days ago

    Solid article and entertaining chain. My gmail was recently hacked. I was astounded.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.