I was away from home for a week and returned back yesterday evening. As I had a weeks emails pending, the first thing I did after reaching home was to access gmail. To my horror, google was telling me that I am providing a wrong password. Then, I tried to log in to my blog. I found out that my blog has been defaced. I was getting the following screens, Some Arabic bymn was played in the background.
This page will give you some more information on how a hacked page look like. I contacted my web hosting provider and got the password for the site reset and the site was back with in my control.
However gmail id was my lifeline and I had to recover it at any cost. I tried to recover my password from the gmail login page as below.
The next page had these options.
I selected my account has been compromised which gave me the following link.
The account recovery page is here. Have a look at it. Your scucess in retrieving the account lies in accurate answers in this page. I filled out the following sections.
Fortunately, I remembered who invited me to gmail.( I had a gmail account at a time when gmail invites were sold on ebay). Also, I use filters and labels heavily for handling mail. There was some fuzziness with dates , still I could approximate it. I have a couple of blogs linked to the account and an orkut profile. I knew only the url of my blog on blogspot. I was very skeptical whether I will get it back. I submitted and waited any response form google. About an hour later I recievd the following mail from google.
I reset the password and retrived my account. The attaker had tried to capture some of my other on line assets from the gmail id. Some of the automated responses had his IP address logged( or it might be a proxy). I traced the attacking IP to Saudi Arabia.
Why I lost my account ?
There may be several reasons. Here are some of my assumptions .
a) I had a weak password. ( 6 letters and that too based on a dictionary word)
b) I had enabled POP3 access for my gmail account, even though I was not using it. There are plenty of scripts like this available on the Internet for brute force attack on gmail accounts via POP3.
c) I had used my account from a friends place last week on a windows XP machine. May be that machine has a key logger installed and the attacker might have obtained the password via IRC from there. I cheeked my home machines for any possible root kits, but I could not find any. My windows machines do not have internet access.
d) Some one might have stolen the password from one of the machines that I use at college. ( As we are having vacation now , I can safely rule out this possibility)
What information one must keep about google accounts.
1) If some one invited to a gmail account , keep the email. It can save you a lot of trouble. It will give you some idea about the date of creation of your account.
2) If you use labeling and filters , remember the labels. You can give easy to remember names and context relevant labels to your mail.
3) Even if you are not blogging , create a blog on blogspot . The URL of the blog can be an important information.
4) Email addresses are not by hearted as phone numbers. So export the your gmail contact list to a file and keep it. The account recovery page asks for up to five frequently contacted email ids. ( Click on contacts on the left side of any gmail page and select export to save the contacts.)
5) Set up a secondary email id and give it a different password. ( You can use Settings->Accounts->google account settings-change security question for this.)
6) Set up a security question. It can save you a lot of trouble.
7) If you use orkut, keep the URL of your orkut profile.
You can obtain it from your orkut home page as shown in the figure below.
9) Disable POP3 and IMAP if you are not using them.
10 Use a Strong password. This is the most important step. In the change password page, make sure that your password is strong as shown in the picture below.