Hello,You may look forward to having me as a Google Accounts user again, but I'm pretty sure that the feeling is not mutual on my end. Google -- you stiffed me for a whole week, didn't return my calls, you were seeing someone else, and now you want me back. If I didn't know better, I'd think I was in a severely dysfunctional relationship. Don't even get me started about my dysfunctional relationships on Facebook over the past week as a result of this whole fiasco.
Thank you for your report. We've completed our investigation and we're
re-enabling your access to this account. We've changed the recovery email
address to.
To recover access to your account, please follow these steps:
1. Visit https://www.google.com/accounts/ForgotPasswd
2. Enter your username.
3. Enter the word verification.
4. If you're asked a temporary security question, ignore it. Instead,
click 'Change your password by sending an email to your recovery address'
to reset your password.
Once you've completed these steps, Google will send you an email with a
link to reset your password. For tips on how to create a secure password,
please see
http://www.google.com/support/accounts/bin/answer.py?answer=32040
We look forward to having you as a Google Accounts user again.
Thanks,
The Google Team
Oh, and how did I end up winning with this whole automated Google account recovery form? I had to game the system. You see, Scumbag was really using a Yahoo account to e-mail everyone after the initial e-mail went out from my Gmail account. It was similar enough of an address that most people wouldn't notice the subtle change. So, when I filled out the form, I entered his Yahoo address when it asked what my secondary e-mail address was for my account. I'm pretty sure that had I not used his address, I'd still be fighting Google for my account.
So, I reset my password, got logged into my Gmail account and assessed the damage:
- I checked my settings and (as I had already known/suspected) found that all incoming e-mail was being forwarded to Scumbag's Yahoo account and set to be deleted in Gmail. I turned that off.
- I disabled POP and IMAP access (used to access Gmail from a mail client typically) to my account for now.
- I reset my security question to something I can answer, since I figured out the hard way that Scumbag changed it.
- I checked to make sure that no unusual filters were set up (none were).
- I then discovered that all my contacts had been deleted -- I was fine with that; had it not been done, I would probably have done it myself!
- Looking at my Sent Items, I saw three e-mails were sent out by Scumbag. Each of them was to a bunch of my contacts with the now infamous "My predicament!!!" e-mail.
- Checking out my Deleted Items, I found a few replies from friends, but some of the initials replies that I knew occurred were completely deleted, so I'm not completely sure who all actually replied back.
- I found an e-mail from Facebook letting me know that my account had been disabled due to suspicious activity. If I wanted to reactivate my account, I had to respond to a question that they asked about me. I did so earlier today and I now have my old Facebook account back. Way to go Facebook! Maybe you could teach Google some lessons about how to handle a hacked account?
- I finally checked out the detailed activity on my Gmail account and confirmed what I suspected: Scumbag was nowhere near London, he was in Nigeria, phishing capital of the world!
- Be wary of what computer you log into any of your accounts from. Despite using a pretty good password (I do work in IT after all!) with a combination of letters, numbers, and symbols, my account was still hacked. I suspect that my account username and password was obtained when I logged into Gmail on someone else's computer. If that computer wasn't properly secured and had malicious software on it, that malware may have logged my account information and sent it over to the Scumbag in Nigeria.
- Google's motto is "Don't be evil" but that doesn't mean that Google is good, or as I found out, very helpful. If you have any kind of problem with any of your accounts on Google, don't expect much, if any, help.
- Don't put anything anywhere on Google that you cannot afford to lose! This goes along with the standard IT mantra: keep a backup of everything and then make another backup of it. There's also the corollary: make sure that whatever system you use for backups really works. In other words, you can never have too many backups.
- Don't put anything anywhere on Google that is confidential! Scumbag had full, unfettered, Google-could-care-less-what-he-did access to my account for a full week and I couldn't do a blessed thing about it. Take a minute and reread this point. Now ask yourself: do you have anything anywhere on Google that you would not want a total stranger (aka Scumbag) to have complete access to for a week? If you answered "yes," you might want to take care of that...right now!
- Android phones...I'm looking at you. If you've got one of them, you'll know that you have to have a Google account in order to use it. Well, if that account gets hacked, you're pretty much locked out of a variety of things on your phone. Want to use a different account? Sorry, you'll need to wipe your phone and start from scratch. I'll spare you the other dozen reasons why I don't really like my Droid very much.
- Don't get too reliant on Google Voice. While I was locked out of my Google account, calls to my Google Voice telephone number still rang through to my phones, but if someone left me a message, there was no way I could retrieve it. Lucky for me, Scumbag didn't touch anything with my Google Voice account, but he could have had a field day with it. Fortunately, I haven't given that number out to too many people. Imagine if you relied on your Google Voice number on a daily basis and then lost access for a week. I'm not sure if I will use it much, if at all, now.
- Remember that when the clouds roll in, it's no longer a sunny day. Apparently, that holds true in the virtual world as well. I've never felt comfortable with just throwing my critical data out in "the cloud." The way some people talk about it, cloud computing is some sort of magical, mystical experience. No, it's just a black box and you really don't know what's going on inside. The tech world is abuzz with how great it is to just put
out in the cloud and you can forget about it. It will just be "there" wherever "there" actually is. Well, now more than ever, I'm pretty doggone dubious about this whole cloud business. In the cloud, I'm expecting someone else to keep my data accessible (to me), secure (away from Scumbags), and always "there" (doesn't ever go away, doesn't ever blow up). No thanks - I like my data where I can see it and control it. - Google Apps/Docs is a full fledged card-carrying member of the cloud. It offers some pretty cool stuff, but all of that is worthless if I can't log into it.
- The old saying still holds true: "Don't put all your eggs in one basket." If you use Google for just about everything you do online, you would be in a huge world of hurt if you lost access for a week. For me, it was more of a nuisance.
- Having phone support for everything you use, no matter how awful, and no matter how hard it is for you to understand the support person, is a wonderful thing. Automation is a wonderful thing, but it is not the answer to everything.
I welcome your comments and please share my experiences with your friends, so that others can learn from my misfortune.
Sorry to hear you had a tough time, and glad things are on the mend again. I'm interested to know what you think would have been the right way for Google to have handled this?
ReplyDeleteIt seems to me that what happened to you could happen to anyone on any web-based email platform, so it's really about how Google reacted.
If you were Google's account management team, what would you do differently? You mentioned that Facebook's approach was good - what else could have been done?
Incidentally, you don't mention whether you're a 'premium' account holder, or a normal, free, unprivileged account - that makes a difference to the way Google respond.
I'm not sure what the "right" way would have been. However, the questions that were asked for account recovery were not easily known or remembered by the actual account holder, resulting in a high likelihood of failure. I'd like to know how many people actually remember what date they signed up for any of Google's services. I sure don't remember. Perhaps just having better questions would improve the account recovery process.
ReplyDeleteI have just a free account, so I realize that it's not practical to have someone readily available to support my account. The fact that someone could hack my account and continue to have access to it for a week without any recourse on my part is a bit disturbing, especially since all of the Google services I use are tied to that account.
It does seem, as of late, that Google is more aware of the particular scam, and has at least been disabling compromised accounts.