My girlfriend’s Gmail account was hacked

I’ve written in the past that my Hotmail account has been hacked twice.  I think it was either due to an insecure wireless network or because of a WordPress vulnerability.  In either case, I was able to track the spammer (or at least the accessing IP) to a guy in Thailand.

Today, my girlfriend asked me a question – why do I have so much spam in my inbox?  My initial thoughts was that it was due to the Epsilon breach – she subscribed to some mailing lists managed by them and the spammer started spewing out piles of spam and hers was among the targets.  Yet, I didn’t really think this was the case as she doesn’t subscribe to very many services.

I went and took a look at her computer and Gmail account, and in five seconds I was able to diagnose what had happened – she had been hacked.  Most of the messages in her inbox were bounce messages with spammy subject lines, and clicking on the message showed that spam was attached and then sent back to her.  I recognized this as the same case of when a spammer hacked my account, sent spam and then some of it bounced back to me.  That’s one thing backscatter is good for, determining when you have your account compromised (and assuming that your antispam service has a good backscatter mitigation technique in place to differentiate between the fake bounces and the real ones).

One thing about Gmail that irks me is that when you look at the raw message headers, it doesn’t tell you what the web IP of the client logging into the account is if you log into Gmail directly.  Hotmail puts the client’s web IP into the X-Originating-IP header, and Yahoo Mail puts it into a Received header.  If you access Gmail by POP (i.e., without logging in), they will add your connecting IP, but not if you login directly.  Thus, when I checked my mail account and saw spam from my girlfriend (I’m in her address list), I could look at the raw source but all I saw was a bunch of IPs in the range.  Yeah, that’s useful.  It tells me that someone probably logged into her account and sent spam, but I’m not sure of all the scenarios where Gmail doesn’t expose this IP.  One thing I do know is that this is one of them.

But, Gmail makes up for this deficiency with a handy little feature where they tell you when the last 10 times you logged into your account was, and from what IP address.  I navigated to that documentation in Gmail and saw three different IP addresses.  Checking DNS Stuff, I saw that my g/f logged in from work, from home and another time from Illinois.

Seeing as how we are in Seattle and this login was from Illinois, I surmised pretty quickly that the spammer was located there, or at the very least, a spammer using a hacked machine in Illinois used it to login to Gmail.  I then saw that the time stamp of the login attempt was the same as the time stamp when I received the message.  My g/f deleted all of the spam messages in her Inbox and Sent folders, but I recalled (using my super memory) that the messages were all sent at about the same time as the login which suggests some sort of automated script to send the spam messages.  The spammer had only accessed the account for less than an hour before we noticed.

I advised her to change her password and she did so.  I suggested that if she uses that username and password combination elsewhere on the web, to change those, too.  Borrowing a page from my playbook she expressed some rage for this spammer who would dare to do such a thing.  Seriously, what a jerk.

I did a quick malware scan on her computer and it came up negative.  I don’t know where she could have been compromised; it’s possible that the workstation at her work has some malware on it.  It doesn’t matter, though.  She’s now more cyber aware than she otherwise would have been without this incident.

This is why I’m still in the business.  It’s my goal in life to put myself out of a job by ensuring that spammers cannot make money doing what they are doing.

Comments (5)

  1. Sarah Price says:

    Hi Terry, I'm a member of the Gmail team. I'm very sorry to hear about your girlfriend's experience. Good detective work using the last account activity feature!

    Something you said stuck out to me: "I suggested that if she uses that username and password combination elsewhere on the web, to change those, too."

    I would go a step further and recommend that your girlfriend use a unique password for Gmail and not repeat it for any other websites. Using the same password across websites is a very common method of compromise. Let's say you need to create an account for a website or forum — you are asked for an email address, and you are asked to create a password. Not all websites have robust security practices. If the website gets hacked, the intruder has access to a database of email addresses and passwords. All they have to do is try the combinations.

    Even if you always keep your computer malware-free and never fall for a phishing attempt, your account is at risk if you use your Gmail password on other websites. Always keep a unique password on any website where a hacker could do serious damage (email, bank, etc).



  2. Terry Zink says:

    Thanks, Sarah.

  3. Tina says:

    Same thing happened to me last night.  I received a spam email to my work account from "my" gmail account and immediately became concerned.  Just as I suspected, I had a bunch of return emails and bunch of sent messages in my sent box.  Looks like it was sent to everyone on my contacts list.  Now I feel that I need to delete my contacts from google.  This contains work contacts as well.. grrrrr

  4. Craig says:

    A few people I know have recently had Gmail accounts hacked. I wonder how widespread this has been.

    I wonder if one of the attack vectors is to scan for publically visible personal information on Facebook and use that data as password attempts for a Gmail account. Say John Smith's name and home town are publically visible on Facebook. How many hacked accounts do you think you would get if you could automate logon attempts to <firstname><lastname>, password=<hometown>?

  5. Jonathan Byrne says:


    It's pretty widespread, at least for sending 419. They are behind most of the credential phishing, and once they phish an account, they use it send 419 and also more credential phish, to increase their account portfolio.  They like to compromise freemail accounts for largely the same reasons they like to compromise university accounts: good reputation on the outbound mail hosts, and as a bonus they can target your address book.

    @Terry – can you share any other info about how her account was compromised and what kind of spam was sent through it? Even though I'm hanging up my anti-spam weapons and going to the web security side of the house, account pwnage is still one of my areas of keen interest.

Skip to main content