I am heavily dependent in my personal life on the Google suite. All of my archives (notes, tax returns, email communications, everything!) is kept in Google Drive. On Thursday night of this week, around 10pm, I lost access to all of it.
My iPhone Gmail app was suddenly empty. Usually, I have thousands of emails, now there were zero. I couldn't open Google drive on my phone. I couldn't reconnect to my Google account. The Google message simply was: "Your password was changed in the last hour."
Thirty six hours later, I finally recovered control of my account. It was a terrible day and a half for me. I would wake up like I have following some of the terrible events in my life (deaths, divorces, getting fired) with that weird feeling wondering if the bad news was there or was it just a bad dream. Here's what is weird and terrifying.
1. I was totally prepared and had taken almost all the precautions that could and should be taken. Nevertheless, somehow my account was taken from me by someone or something changing my Google password. I was locked out!
2. Nobody cared. Or seemed to care. Google has some nice pages on their website about account recovery and probably, behind the scenes, some superb techniques and maybe human review. But there is no visible case management, nobody seems interested in learning about my case. At the end, I wonder if Google cares about this personal disaster of mine. The fact that I pay Google a hundred or so dollars a year for extra storage space did not seem to make any difference. I'm not saying it should, I just mention it since a relevant question is: "Why should Google care about you, you are not a paying customer of theirs." But I am!
First, my preparation. When I go to the page on security at Google, it reports no suggested actions.
I have a back-up phone and email for identity verification. I have the Google Authenticator on my phone (which was never used in the process). I have only given two apps direct access to my Google account. One is Dropbox, the other is one that I use to post to my blogs from my phone. Google didn't flag either as a security risk.
What happened? On Thursday night at dinner, I realized I couldn't see my mail. As I checked, I realized that I had a problem. By 11pm, I was back home and I stopped working from my phone and went to my computer.
My computer has dual factor authentication on it to just open it. So it opens an app on my phone to verify my identity just to use it. I only use work computers these days and this system is set up and maintained by corporate IT. Those are the only two devices that I have used in the last months (actually, there are two computers, both with dual factor authentication) to access my Google account in the last year.
The Google recovery process involved an easily findable page which asked me for my password, then reported it has been changed, then asked me for the most recent password that I remember.
It then kept asking me for a phone number to verify my identity. I would get the text, enter it, and it would say that Google needs to verify the account which will take 48 hours. Forty eight hours! In the modern world, that is a long time to not be operational! What if I was on a trip? Google would also have a note that if you were in a hurry and on a device and browser that I had logged in from recently, I could accelerate it by trying again. So I would try multiple times since Google seems to suggest that repetition would help. After a few tries, I would find that it would lock me out saying to many attempts. IMHO, Google should modify their wording there so that people try the optimal number of times. I would try to many times urged on my the if you are in a hurry message, then wait six hours and repeat.
I had setup one recovery phone number and two recovery emails. One email, Google didn't list as an option and wouldn't seem to use when I entered it as a way to verify my identity so it did not help. The other email was on file but it was actually an email alias from a domain and email address that I own that was set up to forward to my Gmail account so it was not easily used in this situation where I had lost access to the Gmail account. This was the a mistake that I feel that I made. I should have had easier to use recovery emails.
After half a day, I figured out how to login to the web email service associated with my domain and reset it so that it stopped forwarding emails to a Gmail account that I couldn't get it. It has been set to forward and delete. I turned that off and now I could login with webmail to use my account. I couldn't see the emails from the previous few days which would have helped me to look for security problems. This is another step that I will take. The reason it took me a day to get into this is that the info on where my domain is hosted and how to login to it is kept in my....Google docs! So I couldn't get to the info that way. I had to look it up through another backup system of info that I maintain. I will revisit this too.
Root Cause Analysis. So this morning I got in, reviewed all the emails that went into my account looking for damage and malfeasance. And I'm writing this summary, considering all my different steps and precautions and my plans going foward.
I checked the Google security info inside my account and I found that the password change was done by my phone. My iPhone has a six digital security code on it and facial ID, was in my possession at all times. So who did what? Google reported two apps that had access to my Google account and it did not flag either as sketchy. One is Dropbox. The other is a great app for posting on this and other blogs when I'm mobile. I'm thinking it could have been the problem so I removed its access and will not give it my Google account login going forward. I might create a special blogger editor account for it so it will only have access to help me with the blogs.
Now back to my claim that nobody seemed to care and that maybe, Google doesn't care. True? Overstated? Wrong Question?
Has Google already processed the event taking inventory of all my account info noting that there was a security problem and that an unwanted changed password happened on an iPhone with two apps that have access? Does Google already know about all the other apps on my iPhone checking to see if there is a pattern of issues of apps on phones and security?
These questions are important ones and Google, secretive and mute, gives no clue as to how seriously they consider this sort of problem. The sum total of the communications from them to me after this serious and terrifying experience was an email about a new password and that congratulations, your account was recovered.
Now that I'm back inside my Google account, I have found one path towards some potential human help.
It turns out that I can get to a 2-3 minute attention from a "Google Expert".
When I do, I will ask them about what they think actually caused the changed email. There, I will use the number of the one app that had access and see what they think. Or is it another app on the phone which did not have access but somehow picked it off and used it to change it?
The weird thing that I'm trying to understand is whether, once I was hacked, did I have access to these account features to help me with recovery? Is it possible that this sort of help is only available through the account which of course, I couldn't get into and so I could not access? I'll ask them about this too. If the service was available to me, I wonder why I never found it? Human error and lack of thoroughness by me?
It seems like by being a paying member, I am a Google One customer and we have some sort of access to help. I've now at the top of the queue to chat (it was about 15 minutes long) and my expectations have been set to have a 2-3 minute. My chat started 8 minutes ago with me saying:
I have now recovered control of my account and am looking for root cause of the stolen password.
My Google account reports that my password was changed (not by me) from my phone which has always been in my possession. So how did it happen? I had given access to "*****" to my Google ID on my phone. Could **** have been the problem? Or is there another way that an app on my iPhone might have changed my password? The whole incident has been documented here:
Since then, 18 minutes of silence from them. Not even a murmur to assure me that it's still a live chat. I think I'll check with: "Are you there?"
Heh Google, really crappy chat. What gives? Do you give a damn or not? Now I"m PO'd.
I received a few days later, a Google survey asking how satisfied I am with their support efforts. I said that I wasn't and directed them to this blog post. They also asked if I would be willing to be contacted to provide more info, we'll see if they contact me again.
I'm still researching these questions about how it happened. Here's some articles relevant to how do hackers steal your google password.