Who is accessing your Gmail account?

The Gmail team recently introduced a new feature (in the footer) that enables account holders to verify the latest login activities on their account. I routinely check mine and the results are usually boring, reminding me I check my email way too often (and I do so mostly via browser, through my Canadian IP).

An unwelcome surprise

If you don’t check yours regularly, you should (my version of Google Apps doesn’t have this feature though). In fact, tonight during a routine check, I discovered an unwelcome surprise: an entry that didn’t belong. The following screenshot shows the recent activity on my account (with some information blanked out):

My Gmail activity window

See that US, IMAP line? That wasn’t me. So did someone manage to access my account? Or was it a web application that I authorized? Before panicking, I decided to look into whatever information I could gather about that IP.

It turns out that it’s the IP of a server hosted by Slicehost (RackSpace), but I couldn’t find any website running on that IP address (173.203.211.51). To make things more interesting, I found two people (one German, one Japanese) complaining online about the same IP address and IMAP access to their Gmail accounts.

Was my account hacked into? I have a hard time believing that someone actually managed to login by guessing my password which was as secure as a password can be. I haven’t used my laptop on an unsecured WiFi. I use a Mac and am very cautious about what I install, so I doubt I have a keylogger installed or anything of that nature. Using 1Password I’m even immune to the so-called “tab napping” attacks.

Possible culprits

Assuming that this is not a misunderstanding and some SaaS application I authorized is not in fact using that server to perform a legitimate action, I think it’s likely that someone managed to get in through a vulnerability or backdoor in one such application.

I’m not pointing fingers here, nor accusing anyone, but it is interesting to find such an occurence happening so shortly after granting the aforementioned authorizations. The websites I granted access to were:

  • Zoho Discussions (24 hours before the suspected intrusion happened)
  • Trendly (3 days before the intrusion)
  • Etacts (a few weeks before the intrusion)

It’s worth mentioning that in the past Etacts had scared the crap out of me with their American IP showing up in the recent activity list. However a lookup has always shown the questionable IP to belong to them.

Do any of these services intentionally use the server with IP 173.203.211.51? Since I’m not the only one who suspects a violation from this IP, it would be interesting to hear what Slicehost has to say about it? Perhaps they know if it’s a legitimate or illegitimate use of their server.

How to deal with an email intrusion

The perception of being intruded upon, whether it’s real or just a scare, is definitely not pleasant. Just in case the same happens to you, here is what I did to deal with the situation:

  • I verified that there were no messages sent on my behalf.
  • I checked that there weren’t any new filters that would forward emails to a possible malicious user.
  • I verified that there weren’t any forwards and ensured that forwarding was disabled.
  • POP3 was already disabled, and I have now disabled IMAP as well.
  • I revoked access to my Google account for all listed web applications.
  • I changed my password to another humongous one on a different computer, with a brand new installation of Linux, directly wired to my DSL modem (bypassing the whole wireless infrastructure I set up at home).
  • I will, soon enough, format my Mac (I’ve been planning a DBAN wipe, plus a brand new installation for a while either way).
  • I will continue to monitor my account activity.

This is the kind of information I felt necessary to share even if this turns out to be a false alarm. I highly suggest that you keep an eye on your Gmail account activity and if you find something suspicious, act accordingly.

UPDATE (June 17, 2010): Please read my follow up post.

Get more stuff like this

Subscribe to my mailing list to receive similar updates about programming.

Thank you for subscribing. Please check your email to confirm your subscription.

Something went wrong.

37 Comments

  1. Giovanni Intini June 15, 2010
    • Antonio Cangiano June 15, 2010
    • Christine June 16, 2010
      • Antonio Cangiano June 16, 2010
  2. Invalidrecord June 15, 2010
    • Antonio Cangiano June 15, 2010
  3. Chris Wheeler June 15, 2010
  4. deigote June 15, 2010
  5. Andy Baker June 15, 2010
  6. Jonathan Roes June 15, 2010
  7. ???? June 15, 2010
  8. Vasudev Ram June 15, 2010
  9. clemo June 15, 2010
  10. M June 15, 2010
  11. Matt June 15, 2010
    • Antonio Cangiano June 15, 2010
    • skrymir June 15, 2010
      • John June 16, 2010
  12. curiBOX June 16, 2010
    • kevo July 6, 2010
  13. Adam June 16, 2010
  14. Rishi Arora June 16, 2010
  15. chris June 16, 2010
  16. Pingback: Gmail Account Activity June 16, 2010
  17. Chris June 16, 2010
    • Antonio Cangiano June 16, 2010
  18. Anton June 16, 2010
    • Antonio Cangiano June 16, 2010
  19. ICE June 16, 2010
  20. Pablo June 16, 2010
  21. Preets July 3, 2010
  22. aj August 21, 2010
  23. Sam September 2, 2010
  24. pallavi November 29, 2011
  25. Singh December 10, 2011

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.