[REQUEST] Gmail hacked (again)

[Blue House Computer Help]

A little advice needed. I have an elderly customer who had his Gmail hacked. Only has email on one device, and only had one active email address, so didn't have a recovery email address set, but he has 2 step authentication turned on (text to his iPhone).

Apparently under some circumstances, when you can't do any form of normal authentication/2FA, Gmail has an option where you can put in any email address and have a password reset link sent to you after a 48 hour delay. Of course they send you an email to that account to warn you, but if you don't happen to check your email in at 48 hours, they can reset your password. He has 2 step authentication turned on (text to his iPhone), but he didn't get anything.

I know that sounds like it's wide, wide open for abuse and I wouldn't have believed it myself, except that we had to use the same process to regain access to his account as he doesn't have a recovery email address. Once we've got access, we could see one security notification email About this 48 hour delay period that had been sent to the account from when we did it, and a matching one from when the hacker did the same thing about 5 days ago.

Questions:
1. Is there a best practice checklist somewhere for completely locking down a gmail account? It was hacked in a different way before (Before we added 2 step authentication), so I wonder if there was some previous access that allowed this loophole without receiving a 2FA text.

2. Was this 48 Hour reset option only available because he didn't have a recovery email address set up? Or, under what circumstances is it possible?

 

[britechguy]

Was this 48 Hour reset option only available because he didn't have a recovery email address set up?

That would be my guess. But I've done plenty of Gmail recoveries on accounts without recovery email/phone, and to a one you had to be able to give at least one, sometimes several prior passwords and get at least one of them right before the process would even continue. You could not just enter an email address and say, "Send me a password reset after X amount of time has passed." If they've added that, it's relatively new.

I do also know (unless Google changed something) that if you have a recovery email and/or phone set up, that's the only alternate communication channel they'll use for lock-out situations. If he's using SMS 2FA he had ought to change his account so that the same number is his recovery phone number. If he's not used to having or checking another email address, the probability of a recovery email being feasible in practice is very small.

Has his computer been swept for things such as keyloggers? Something/someone is watching, and since this is not an individual that many professional hackers would consider "a juicy target," this strikes me as nuisance hacking by an amateur (which doesn't mean they're not good at it, but that high-value returns don't seem to be part of the picture).

 

[Metanis]

I went through something similar last week at my local church. They use a simple gmail account as their primary email address and had never defined a recovery address. The church secretary actually fat fingered a password reset and then couldn't remember what she had actually typed. After numerous attempts we were finally given the option to send a reset to an address of our choosing.

Google obviously wants to get out of the end-user support business and this is their automated method of doing so.

Do follow the Security practices checklist that they present you at some point when you've recovered the account. Do implement a valid recovery account on a different email provider.

I always create 2 different accounts now, one Google and one Microsoft and then cross reference them for recovery purposes. Then I add both accounts to a residential or small business client's default browser tabs. Because a recovery address is no good if it goes inactive from lack of use.

 

[Blue House Computer Help]

I have previously reformatted his PC. He had an incident a few months ago where he'd let scammers onto his computer (fake tech type scam) and lost some money to them. I reformatted his PC then, reset passwords, and enabled 2FA by text.

I don't think it involved any compromised passwords. Once we got logged in to the account we could see from the nature of the Gmail security warnings that had been emailed to him that it was somebody doing the 48 hour trick without actually having his password. I have to confess, when I was going through the same process with him I didn't cotton on what was going on until we got logged in, so I'm not sure but I think it only asked me to verify his full phone number.

Anybody have any kind of checklist for what they do in these situations to make sure, or as sure as possible, that every avenue has been blocked?

Also, I hadn't set him up with an authenticator app because he's older and I didn't think he would cope, but that might be what we have to do. Do you think Google would be more persistent about insisting on needing the authenticator app if someone tried again, or would it let them get some other way around like it has done? Maybe no way to find out but to try (and set up an outlook.com recovery email too).

 

[britechguy]

I don't really see the point in necessarily having 2 recovery methods in a case like this. If he is already accustomed to using his phone, and reads texts, then having it as a single recovery method is sufficient.

I also believe that's all that's needed to avoid the "send password link" situation again. That's a complete fallback when the user does not, after many repeated prompts over time, set up at least one recovery method. I'd prefer that being there, even if it can be abused, in the case of no recovery method having been set up. Losing access to an account sometimes of decades long use because there is absolutely no way back in for "the average user who stupidly didn't set up a recovery method" is worse than this security hole, in my opinion.

 

[phaZed]

I think the phone is hacked.

 

[Markverhyden]

I've gotten to the point where, for every customer I come in contact with, _I_ personally verify 2FA for every account that they remember. If it's a financial thing I just tell them to call the support line and they'll walk them through. And I too believe in having 2 recovery emails in addition to text/sms

 

[Markverhyden]

I think the phone is hacked.

I think it's just how the OP laid it out. Hacker exploited the 48 hour window. EU didn't pay attention to txt's or emails. I've got 40-50 year olds who don't understand/grasp what those notifications are.

 

[Metanis]

Although it's not my problem to solve, I wonder how many petabytes of data center storage are dedicated to saving spam in accounts that nobody even looks at? Us old farts actually recover our accounts, the young 'uns just roll a new one and abandon their locked ones. My own 20 something nephew has lost track of the gmail accounts he's created just since high school. When he forgets a password he just starts over.

 

[Blues]

I only recently lost account to my 2 or 3 extra email accounts that only ever got spam with maybe being tied to a forum or something but nothing I will really lose and I lost them due to never really using those plus having stopped using many of the boards or apps tied to the email.

 

[phaZed]

I think it's just how the OP laid it out. Hacker exploited the 48 hour window. EU didn't pay attention to txt's or emails. I've got 40-50 year olds who don't understand/grasp what those notifications are.

Ya, but the 48 hour window doesn't allow for *any email* or *any phone number* to be used - It uses the Phone # of the customer and/or the alternate email address given at time of signup (or if changed later via the Profile Settings by the customer).

So, it's not like the hackers put their email address in there. They would have had to get it from customer@earthlink.com or whatever. Alternatively, they would have needed a cloned SIM or access to the users phone for the number verification.
So, to me, it doesn't explain anything, really.

If we're only talking two devices between possible 2 emails and one phone number, I fail to see where else the breach could be but if not for a hacked device or a hacked recovery email address. Seeing as the PC was reloaded, I would think that device should be clean under ideal circumstances.

 

[phaZed]

Applies to almost any website:

 

[britechguy]

So, to me, it doesn't explain anything, really.

Same here. Something's really, really off, but I certainly can't put my finger on exactly what. And I don't discount the client having done things that he failed to disclose.

 

[Metanis]

Ya, but the 48 hour window doesn't allow for *any email* or *any phone number* to be used

You are mistaken. It DOES in fact allow you to input ANY email address to be used after the 48 hour window passes. But this appears to be true ONLY when your Google account has never had a recovery email address defined. And this is true even if you DO have a valid mobile telephone number defined and in use.

This behavior may not present itself the first time you attempt to recover the account. I tried multiple times but kept reaching a dead end. Suddenly the option to enter any email address offered up from the Google hellscape.

 

[phaZed]

@Metanis - I've never known it to work that way, but I do understand what you're saying.

Usually, the way I've observed, is that it simply uses the phone (SMS code or; Android Phones will pop-up in the message area[non-SMS]; iPhones usually require the user to open the Gmail App) and then either 1. redirects to a reset password page or 2. Goes through a final "personal question" - usually DOB, but sometimes a question/answer or "Recent, past password you can remember", all on the phones browser. Then you can continue, all without ever setting a recovery email at all. Upon logging in after completing the password reset page, it will then offer to set a recovery email upon the following login of which you can accept or Skip.

If it's true that Google simply allows an arbitrary email address as a recovery method - without any authorization as to whom is setting that - that seems like a gross security failure. I suspect that perhaps in your case(s), Google was able to "reasonably identify" yours/customers device - whether that was from IP address, location, or browser (Chrome), etc.

When i try to recover my gmail a dont get an alternative account to be used to recover it any help?? - Gmail Community

support.google.com

3 Methods to Recover Gmail Email Account[2024]

Forget email logins or want to recover deleted Google account? If yes, then learn about the effective ways to recover Gmail email account with or without email.

recoverit.wondershare.com

 

[britechguy]

@phaZed

Your experience and mine are the same. I've had to go through the "give us a password you have used on the account in the past" gyrations more than once, and if you couldn't give ones (and it was always plural) that Google would accept, you remained locked out. And that was only done if there was no recovery method - whether phone, email, or both - in place.

I've got at least two "junk" email accounts that I never set up recovery methods for where I could try to see if I can ever be given an option to just give them an alternative email address for a reset link.

 

[britechguy]

A very late entry on this based on an experience with a customer last week.

She has a Comcast/Xfinity account that is her primary address, and I created a Gmail address as a recovery address several years ago after she got locked out of her Comcast address and it took an unbelievable amount of effort to regain access.

Well, she somehow managed to do that, again, and had changed the last password that she had on record in her notebook, so I thought, well, let's have recovery sent to the Google Account. She didn't have the correct password for that, either, so we ended up having to go the 48-hour option, and the only address to which that option sends is to the recovery address of record on the Google account. You can't just give it a random address and it doesn't give you an option of sending to the address you're trying to regain access to (because how would you access that address to get at the "let me back in" message?).

 

[frase]

I did this the other day, a customer had her son whom was doing whatever, not my business. He had control of her email & phone number and password. He basicly was the admin of her Google Account, as he had set everything up. I went to the Google Account recovery and sorted it from there, to change the alternative email to her phone, code sent etc. Then changed to how the customer wanted it and blocked the son in her Gmail.

 

[phaZed]

It was session cookies (kinda as I laid out before - not bragging!).

Gmail 2024 Hack Attack Advice: Turn It Off And On Again, Google Says

As news spreads of an information-stealing exploit impacting Gmail account security, Google echoes The IT Crowd mantra to “try turning it off and on again.

www.forbes.com

Hackers have discovered a way to access Google accounts without a password

‘Exploit enables continuous access to Google services, even after a user’s password is reset,’ researcher warns

www.independent.co.uk

Researcher's paper:

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking | CloudSEK

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

www.cloudsek.com

 

[Blue House Computer Help]

Wow. That just stretched my brain. It will be interesting to see what Google comes up with to get around this.