The Gmail team recently introduced a new feature (in the footer) that enables account holders to verify the latest login activities on their account. I routinely check mine and the results are usually boring, reminding me I check my email way too often (and I do so mostly via browser, through my Canadian IP).
An unwelcome surprise
If you don’t check yours regularly, you should (my version of Google Apps doesn’t have this feature though). In fact, tonight during a routine check, I discovered an unwelcome surprise: an entry that didn’t belong. The following screenshot shows the recent activity on my account (with some information blanked out):
See that US, IMAP line? That wasn’t me. So did someone manage to access my account? Or was it a web application that I authorized? Before panicking, I decided to look into whatever information I could gather about that IP.
It turns out that it’s the IP of a server hosted by Slicehost (RackSpace), but I couldn’t find any website running on that IP address (173.203.211.51). To make things more interesting, I found two people (one German, one Japanese) complaining online about the same IP address and IMAP access to their Gmail accounts.
Was my account hacked into? I have a hard time believing that someone actually managed to login by guessing my password which was as secure as a password can be. I haven’t used my laptop on an unsecured WiFi. I use a Mac and am very cautious about what I install, so I doubt I have a keylogger installed or anything of that nature. Using 1Password I’m even immune to the so-called “tab napping” attacks.
Possible culprits
Assuming that this is not a misunderstanding and some SaaS application I authorized is not in fact using that server to perform a legitimate action, I think it’s likely that someone managed to get in through a vulnerability or backdoor in one such application.
I’m not pointing fingers here, nor accusing anyone, but it is interesting to find such an occurence happening so shortly after granting the aforementioned authorizations. The websites I granted access to were:
- Zoho Discussions (24 hours before the suspected intrusion happened)
- Trendly (3 days before the intrusion)
- Etacts (a few weeks before the intrusion)
It’s worth mentioning that in the past Etacts had scared the crap out of me with their American IP showing up in the recent activity list. However a lookup has always shown the questionable IP to belong to them.
Do any of these services intentionally use the server with IP 173.203.211.51? Since I’m not the only one who suspects a violation from this IP, it would be interesting to hear what Slicehost has to say about it? Perhaps they know if it’s a legitimate or illegitimate use of their server.
How to deal with an email intrusion
The perception of being intruded upon, whether it’s real or just a scare, is definitely not pleasant. Just in case the same happens to you, here is what I did to deal with the situation:
- I verified that there were no messages sent on my behalf.
- I checked that there weren’t any new filters that would forward emails to a possible malicious user.
- I verified that there weren’t any forwards and ensured that forwarding was disabled.
- POP3 was already disabled, and I have now disabled IMAP as well.
- I revoked access to my Google account for all listed web applications.
- I changed my password to another humongous one on a different computer, with a brand new installation of Linux, directly wired to my DSL modem (bypassing the whole wireless infrastructure I set up at home).
- I will, soon enough, format my Mac (I’ve been planning a DBAN wipe, plus a brand new installation for a while either way).
- I will continue to monitor my account activity.
This is the kind of information I felt necessary to share even if this turns out to be a false alarm. I highly suggest that you keep an eye on your Gmail account activity and if you find something suspicious, act accordingly.
UPDATE (June 17, 2010): Please read my follow up post.
Get more stuff like this
Subscribe to my mailing list to receive similar updates about programming.
Thank you for subscribing. Please check your email to confirm your subscription.
Something went wrong.
Our version of Google Apps has this feature.
Thanks for letting me know, Giovanni. I updated the article to specify that it’s my version of Google Apps that lacks this feature. It’s either because I’m using a free version (Do you?) or, more likely, because they have different versions deployed, so it depends on which of their servers your apps are hosted on.
I use the free version of google apps for my domain and if you haven’t already, you should turn on ‘next gen’ features – https://www.google.com/a/cpanel/example.com/DomainSettings
I was seeing this same thing, and like you, traced it back to slicehost and rackspace. I had also done all the password, security question changing, and had even gone in and deleted my etacts account, as that was the only account I had given access to my gmail to. But this didn’t stop the IMAP intrusions.
I complained to abuse@rackspace and was contacted by Mr. Evan Beard of Etacts who was very kind to explain to me that I needed to go into my Google Account settings (not Gmail, but my Google Account), and from there go Change Authorized Websites and delete the authorizations for Etacts. (I had four of them, somehow.)
Once I did that, the problem was solved.
That’s a good point that I forgot to make. I too had to remove etacts from the list of authorized services in my Google settings.
Whilst security is always a concern, I do not see how this is a google specific issue. Your imap got hacked ok but surely this is not specific to google?
I would say that it’s not very Google specific, because any email account can be hacked into. What makes it at least partially Google specific is that Google accounts, unlike most email accounts, are also used to sign on elsewhere.
Mobile phone synchronization?
Not really. I don’t even own a smartphone.
Same happened to me last monday with my Gmail account (not my Google Apps one). I don’t know any of the sites that you listed… my only suspect was the XMarks extension that syncs my Firefox passwords.
You just scared the willies off me! Came very close to cancelling all my cards, Amazon, E-Bay etc. Then someone reminded me about ripe.net and then I discovered the culprit was hullomail
Why I was stupid enough to give a 3rd party access to my primary email account I can’t fathom but I’ve revoked it and I won’t be doing it again.
Etacts seems likely. Have you tried using their service again now that you’ve disabled IMAP?
This is not a new gmail feature; it has been there for over two years.
Oh, this changes everything then. 😛
Interesting post.
Cool to see that you did so many different things in response to the issue. Not too many people would have done all of those.
– Vasudev
Alternative scenario :
RackSpace has a service called RackSpace Cloud that allows heavy-used web application to dynamically scale their server farm on demand – i.e. adjust the number of server used by this app to match the computing power needed to process all the requests at a given time.
This means one application can use one server -and the associated IP address- for just an hour or so – traffic peak, and then “release” it (the server can then be used by other clients, etc).
Since you noticed the login 22 hours after it happened, the IP was probably not used by that app anymore, so you couldn’t find the website – and probably didn’t find reverse DNS either.
That said, it is generally considered a bad idea to give away your password to applications. Consider using a secondary account + filter-forwarding if you *really* need it.
I’ve been having this same problem for quite a while. I even changed my password and this still happens
Oh,
I have the same fucking ip on my gmail ip list.
It scares me. I did everything I could, but this person or what ever knows when I change my password.
I wrote on the German google help board. Still no result. But there is some google assistant trying to help me.
What is behind that ip? what can I do?
I made several scans, checks, etc. even deleted my firefox.
Now I am using my email from another laptop.
I’m totally pissed of by that kind of people doing this instead of using their energy for good things in the world.
Matt
Matt, it turns out it’s Etacts. Have you used them in the past? I’ll post a follow up with clarifications very soon.
Do you have a mobile phone that you use to check your email? I’ve seen a strange IP pop up for me (coming from TX when I’m in AZ) and it’s AT&T’s 3G IP, apparently, because it’ll show up as soon as I check my email via my phone.
I’m in AZ and have a TX mobile ip address as well. It seems to go back to a ISP.
I live in Chicago, but this ip address “IMAP United States (NY) (166.137.136.208)” keep shows on my gmail’s activity information even though i signed out all other sessions and changed my password. any thoughts?
curiBOX – I live in Chicago and have a single NY entry in my activity as well. Have you figured out why this is happening? Do you have an iphone? I’m thinking that might be involved with the issue..
Thank you so much for this post! A few days ago I received an email from my gmail account in another account that I didn’t send. It only contained a subject line: -Hi-. I quickly signed into my account but couldn’t even find a sign of the email being sent. I have since changed the password but had no idea about this feature. I just checked and found an anomalous IP listed:
Mobile Belgium 83.134.222.216 (I live in the US).
I haven’t found much information on it yet but at least it gives me a place to start. Thank you again!
Ditto, Same issue.. same IP address..
Only difference is that I didnt use ANY of the sites or Apps listed..(never even heard the names)
I thought this is because I accessed it from my mobile phone or something..
didnt pay so much attention and just changed the password..
Hmm..
I live in Alabama. I drive one hour to work. I have looked at this before. I looked again today. I have Georgia and NY IP’s listed for today, as well as work IP and Alabama. ALL 3G (except work)…round robin tower jumping for data.
Are you certain it’s not a smartphone? Maybe if not then an iPod touch? I don’t access my Gmail except through a browser….I thought (I’m getting an IP connected to provider so). I realized this morning after reading your article I have my Ipod Touch set to push emails from Gmail. I need to research once I get home, but there are indeed fewer attempts than I would have thought since I have it set to push every 30 minutes. just food for thought though.
It’s confirmed that it was etacts. I’ll post a follow up shortly.
“I verified that there were no messages sent on my behalf.”
And how did you do that?
There isn’t a guaranteed way of doing that, but I checked my Sent, Drafts, and Trash folders.
Great advice. But personally, I think you went a bit overboard with setting up a new password with 1. a brand new installation of Linux, 2. directly wired to your DSL modem, 3. and formatting your mac.
1 and 3: People don’t bother to place worms on Linux/Macs because there are too few users and it’s more difficult to do so than Windows. People do what is statically most profitable. So if you really believe someone was able to hack Linux/Mac to get to you, then it’s obvious you were targetted. In that case, even if you reformat, they can simply do it again, since these are pros. But then, why do you think you are the victim of such organised hacking? Are you in trouble with the Russian mafia, Chinese government, German arms trafficker, or did you piss off an Indian ITT grad? Normal people don’t get hacked on Linux machines unless it’s so personal that they hired hackers from Brazil, but then, you are screwed no matter what you do anyway.
2: Wireless isn’t unsafe if set up properly. And if you are paranoid about wireless, then you better use a direct connection forever, coz the next time you go wireless and check your email, BAM, your 128 character password would be exposed again.
Just helping to keep things in perspective. But if you feel you NEED to go to such great lengths to make you sleep properly at night, then so be it. I respect your decision. And thanks again for sharing your story.
Thanks a lot for this article!
Thank you for sharing this. I didn’t know about the Google feature to track your account visits. But it also means I am going to turn into a paranoid user who checks if her a/c is being hacked constantly!
ok thanx alot cuz i was gettin a little scaed for a sek…. but i’m alrite.
My wife just got hacked and if there is account activity that looks suspicious it will direct you to Recent Activity at the start of your GMail session.
dear sir/maam
i want to know that if someone login in my gmail account and this updates can i get on my yahoo id, is it possible to get and gmail account activity we receive on yahoo id
i m facing same problem here.still tryin to solve.but after some time it occurs again.i dunno who is this IMAP unitedstates ip