40 responses

  1. Giovanni Intini
    June 15, 2010

    Our version of Google Apps has this feature.

    • Antonio Cangiano
      June 15, 2010

      Thanks for letting me know, Giovanni. I updated the article to specify that it’s my version of Google Apps that lacks this feature. It’s either because I’m using a free version (Do you?) or, more likely, because they have different versions deployed, so it depends on which of their servers your apps are hosted on.

    • Christine
      June 16, 2010

      I was seeing this same thing, and like you, traced it back to slicehost and rackspace. I had also done all the password, security question changing, and had even gone in and deleted my etacts account, as that was the only account I had given access to my gmail to. But this didn’t stop the IMAP intrusions.

      I complained to abuse@rackspace and was contacted by Mr. Evan Beard of Etacts who was very kind to explain to me that I needed to go into my Google Account settings (not Gmail, but my Google Account), and from there go Change Authorized Websites and delete the authorizations for Etacts. (I had four of them, somehow.)

      Once I did that, the problem was solved.

      • Antonio Cangiano
        June 16, 2010

        That’s a good point that I forgot to make. I too had to remove etacts from the list of authorized services in my Google settings.

  2. Invalidrecord
    June 15, 2010

    Whilst security is always a concern, I do not see how this is a google specific issue. Your imap got hacked ok but surely this is not specific to google?

    • Antonio Cangiano
      June 15, 2010

      I would say that it’s not very Google specific, because any email account can be hacked into. What makes it at least partially Google specific is that Google accounts, unlike most email accounts, are also used to sign on elsewhere.

  3. Chris Wheeler
    June 15, 2010

    Mobile phone synchronization?

    • Antonio Cangiano
      June 15, 2010

      Not really. I don’t even own a smartphone.

  4. deigote
    June 15, 2010

    Same happened to me last monday with my Gmail account (not my Google Apps one). I don’t know any of the sites that you listed… my only suspect was the XMarks extension that syncs my Firefox passwords.

  5. Andy Baker
    June 15, 2010

    You just scared the willies off me! Came very close to cancelling all my cards, Amazon, E-Bay etc. Then someone reminded me about ripe.net and then I discovered the culprit was hullomail

    Why I was stupid enough to give a 3rd party access to my primary email account I can’t fathom but I’ve revoked it and I won’t be doing it again.

  6. Jonathan Roes
    June 15, 2010

    Etacts seems likely. Have you tried using their service again now that you’ve disabled IMAP?

  7. ????
    June 15, 2010

    This is not a new gmail feature; it has been there for over two years.

    • Antonio Cangiano
      June 15, 2010

      Oh, this changes everything then. 😛

  8. Vasudev Ram
    June 15, 2010

    Interesting post.

    Cool to see that you did so many different things in response to the issue. Not too many people would have done all of those.

    – Vasudev

  9. clemo
    June 15, 2010

    Alternative scenario :

    RackSpace has a service called RackSpace Cloud that allows heavy-used web application to dynamically scale their server farm on demand – i.e. adjust the number of server used by this app to match the computing power needed to process all the requests at a given time.
    This means one application can use one server -and the associated IP address- for just an hour or so – traffic peak, and then “release” it (the server can then be used by other clients, etc).
    Since you noticed the login 22 hours after it happened, the IP was probably not used by that app anymore, so you couldn’t find the website – and probably didn’t find reverse DNS either.

    That said, it is generally considered a bad idea to give away your password to applications. Consider using a secondary account + filter-forwarding if you *really* need it.

  10. M
    June 15, 2010

    I’ve been having this same problem for quite a while. I even changed my password and this still happens

  11. Matt
    June 15, 2010

    I have the same fucking ip on my gmail ip list.
    It scares me. I did everything I could, but this person or what ever knows when I change my password.
    I wrote on the German google help board. Still no result. But there is some google assistant trying to help me.
    What is behind that ip? what can I do?
    I made several scans, checks, etc. even deleted my firefox.
    Now I am using my email from another laptop.
    I’m totally pissed of by that kind of people doing this instead of using their energy for good things in the world.


    • Antonio Cangiano
      June 15, 2010

      Matt, it turns out it’s Etacts. Have you used them in the past? I’ll post a follow up with clarifications very soon.

    • skrymir
      June 15, 2010

      Do you have a mobile phone that you use to check your email? I’ve seen a strange IP pop up for me (coming from TX when I’m in AZ) and it’s AT&T’s 3G IP, apparently, because it’ll show up as soon as I check my email via my phone.

      • John
        June 16, 2010

        I’m in AZ and have a TX mobile ip address as well. It seems to go back to a ISP.

  12. curiBOX
    June 16, 2010

    I live in Chicago, but this ip address “IMAP United States (NY) (” keep shows on my gmail’s activity information even though i signed out all other sessions and changed my password. any thoughts?

    • kevo
      July 6, 2010

      curiBOX – I live in Chicago and have a single NY entry in my activity as well. Have you figured out why this is happening? Do you have an iphone? I’m thinking that might be involved with the issue..

  13. Adam
    June 16, 2010

    Thank you so much for this post! A few days ago I received an email from my gmail account in another account that I didn’t send. It only contained a subject line: -Hi-. I quickly signed into my account but couldn’t even find a sign of the email being sent. I have since changed the password but had no idea about this feature. I just checked and found an anomalous IP listed:
    Mobile Belgium (I live in the US).
    I haven’t found much information on it yet but at least it gives me a place to start. Thank you again!

  14. Rishi Arora
    June 16, 2010

    Ditto, Same issue.. same IP address..
    Only difference is that I didnt use ANY of the sites or Apps listed..(never even heard the names)
    I thought this is because I accessed it from my mobile phone or something..
    didnt pay so much attention and just changed the password..

  15. chris
    June 16, 2010

    I live in Alabama. I drive one hour to work. I have looked at this before. I looked again today. I have Georgia and NY IP’s listed for today, as well as work IP and Alabama. ALL 3G (except work)…round robin tower jumping for data.

  16. Chris
    June 16, 2010

    Are you certain it’s not a smartphone? Maybe if not then an iPod touch? I don’t access my Gmail except through a browser….I thought (I’m getting an IP connected to provider so). I realized this morning after reading your article I have my Ipod Touch set to push emails from Gmail. I need to research once I get home, but there are indeed fewer attempts than I would have thought since I have it set to push every 30 minutes. just food for thought though.

    • Antonio Cangiano
      June 16, 2010

      It’s confirmed that it was etacts. I’ll post a follow up shortly.

  17. Anton
    June 16, 2010

    “I verified that there were no messages sent on my behalf.”

    And how did you do that?

    • Antonio Cangiano
      June 16, 2010

      There isn’t a guaranteed way of doing that, but I checked my Sent, Drafts, and Trash folders.

  18. ICE
    June 16, 2010

    Great advice. But personally, I think you went a bit overboard with setting up a new password with 1. a brand new installation of Linux, 2. directly wired to your DSL modem, 3. and formatting your mac.

    1 and 3: People don’t bother to place worms on Linux/Macs because there are too few users and it’s more difficult to do so than Windows. People do what is statically most profitable. So if you really believe someone was able to hack Linux/Mac to get to you, then it’s obvious you were targetted. In that case, even if you reformat, they can simply do it again, since these are pros. But then, why do you think you are the victim of such organised hacking? Are you in trouble with the Russian mafia, Chinese government, German arms trafficker, or did you piss off an Indian ITT grad? Normal people don’t get hacked on Linux machines unless it’s so personal that they hired hackers from Brazil, but then, you are screwed no matter what you do anyway.

    2: Wireless isn’t unsafe if set up properly. And if you are paranoid about wireless, then you better use a direct connection forever, coz the next time you go wireless and check your email, BAM, your 128 character password would be exposed again.

    Just helping to keep things in perspective. But if you feel you NEED to go to such great lengths to make you sleep properly at night, then so be it. I respect your decision. And thanks again for sharing your story.

  19. Pablo
    June 16, 2010

    Thanks a lot for this article!

  20. Preets
    July 3, 2010

    Thank you for sharing this. I didn’t know about the Google feature to track your account visits. But it also means I am going to turn into a paranoid user who checks if her a/c is being hacked constantly!

  21. aj
    August 21, 2010

    ok thanx alot cuz i was gettin a little scaed for a sek…. but i’m alrite.

  22. Sam
    September 2, 2010

    My wife just got hacked and if there is account activity that looks suspicious it will direct you to Recent Activity at the start of your GMail session.

  23. pallavi
    November 29, 2011

    dear sir/maam
    i want to know that if someone login in my gmail account and this updates can i get on my yahoo id, is it possible to get and gmail account activity we receive on yahoo id

  24. Singh
    December 10, 2011

    i m facing same problem here.still tryin to solve.but after some time it occurs again.i dunno who is this IMAP unitedstates ip

Leave a Reply




Back to top
mobile desktop