Possible gmail break-in

When I logged into gmail this morning, I saw the message that I dread the most – detection of an unusual access.  There was a connection (two days ago) from a server in Malaysia, although it’s actually an AWS server (Amazon web services).

There are two possibilities: the good one is that this is something that I’ve previously given access to my account, accessing it via an alternate method (e.g. Backupify can access my mail to back it up, and they use AWS) so that it showed up an unusual.  The bad one is that someone was using AWS to bulk-attack accounts and got in.

In favour of the good one, as far as I can tell, no email was sent – I can’t see anything amiss at all.  The email account is the central lockbox for everything, of course, so it’s possible that it was just used to break into other things, or the email content was retrieved.  My password (changed now, of course) was a random 8-character string of lower-case alphanumeric characters, so not particularly simple to break (although not difficult either, given sufficient resources).  I never give out the password to anything that I do not completely trust, and nor do I give out access via other methods (e.g. oauth, openid) unless I trust those services too.

I had intended to turn on two-factor identification, but hadn’t got to it yet.  I’ve done that now, for the main account at least.  My password is now over 30 characters long, including upper and lower case and punctuation – I probably should have changed this a while ago too.

For now, I’m leaning towards the good possibility, so I won’t be completely resetting everything that can send a password reminder to my gmail account.  I’ll be keeping an eye on things as closely as I can in the next week or so, though.  If you see anything suspicious come from me, please let me know.

Advertisements

6 responses to this post.

  1. Posted by Jack on March 24, 2011 at 5:03 am

    I recently saw something similar with my account. Accessed by amazonaws.com:184.72.232.169

    Did you ever get any more details? What services do you allow access to your gmail account? Do you know if this is gmail only?

  2. Nothing else has come up – certainly nothing suspicious. It’s very odd behaviour if it was malicious, since any information taken would date quickly. (Unless there was a search for something – perhaps US specific – and it wasn’t found so nothing more was done).

    I still lean towards a legit service that got flagged because it did something differently.

    I’ve had the gmail account for many years, so it’s possible I’m forgetting something, but the only service I can think of that I’ve given access is backupify.

    I think this was gmail only – although if you had the username + password that would give access to any google service (but I saw nothing in any others, and use many).

  3. I recently signed up for backupify (after reviewing and believing it to be safe). But two days later, the emails they sent me are gone from my gmail account and they say they don’t have an account for me. I find it hard to believe and seems way to nefarious, but it would seem that someone has deleted my backupify account (erased it altogether) and used the information I provided to access my email and delete the correspondence they sent to me. This is either a system glitch on their end – and I says that because I can’t think of a reason why it would be done on purpose, or some scary stuff is going on. Very scary.

  4. Posted by John Haug on January 26, 2012 at 5:34 pm

    I got the unusual activity notice tonight when I accessed my Gmail account. After the panic subsided I recalled that I used QuickOffice on my Amazon Kindle Fire to access a spreadsheet from my Google Docs account early this morning. The time stamp seemed about right. Mystery solved. I hope this helps others seeing this message.

  5. Posted by Rima on August 2, 2012 at 3:47 am

    I saw something similar it’s :
    IP Address: 184.73.159.134 (amazonaws.com)
    Location: Charlotte, NC, USA
    Who is this?????

  6. Posted by YGhaz on March 10, 2013 at 9:09 am

    Same as John Haug – Using OpenOffice & the Kindle App on an iPad got me the message from Google showing IP address of amazonaws in Dallas, TX.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: