69

Just before Christmas I received the following message in one of my GMail accounts:

Sign-in attempt was blocked
********@gmail.com [redacted by me]

Someone just used your password to try to sign into your account. Google blocked them, but you should check what happened.

I signed into that account and looked at the activity (not by clicking the link in the message, of course) and indeed there was a sign in attempt blocked from the Philippines.

I gather this means that an attacker entered the correct user name and password for my account, but was likely blocked because they couldn't pass the MFA challenge. Or maybe Google's fraud detection is actually decent and it knows I've never been to the Philippines? Either way, I immediately changed the password and (as far as I know) the attacker didn't gain control of the account.

However, in the 2 weeks since then, I have received several email verification requests from various online services that I never signed up for -- Spotify, OKCupid, a Nissan dealership in Pennsylvania (that one's interesting), and a few others I've never heard of before. Someone out there is actively using my GMail address to enroll for these services.

The account in question is not my main account, and while the password on it was admittedly weak, it was also unique (I never used it on anything else). I changed it to a password that's much stronger now.

Should I be concerned about this?

Also, if the attacker didn't gain control of the account, why use it to enroll in all these services?

Wes Sayeed
  • 765
  • 1
  • 5
  • 7
  • What makes you think they know the password? Could they have just tried your email address and any password (perhaps from another hacked site?) Regardless, it's good you protected yourself by changing the password. – Hand-E-Food Jan 06 '20 at 21:40
  • 2
    I have been getting this for years - emailed receipts, itineraries, "confirm the account you just made" links, "non-spam" (subscribed-to/you-have-an-account-with-us) advertisements, social network updates, once a picture of a literal legal document, and other garbage. All to my primary email address. For years. No one seems to have ever actually compromised my email, nor tried to. And yet, for years, one or more entities *occasionally* uses my email address when making accounts or listing contact information somewhere, I guess. Wondering the same thing as you, but my life seems okay so far? – mtraceur Jan 06 '20 at 22:07
  • 14
    @Hand-E-Food the email from Google says they used the OP's password, which implies they used the correct password for the account. – Kat Jan 06 '20 at 22:52
  • 1
    Are you a absolutely sure you didn't reuse the password anywhere else? What about very similar passwords? If that's true, I'd be concerned about how they got your password to begin with. – Kat Jan 06 '20 at 22:56
  • 1
    @Wes Sayeed Gmail does funny things with full stops in email addresses. For example, if your email was wes.sayeed@gmail.com then you would also receive email sent to wessay.eed@gmail.com. I myself have a dictionary-word gmail account and have received many misdirected emails from external systems that don't honor/handle the full stop. https://support.google.com/mail/answer/7436150?hl=en – Beeblebrox Jan 07 '20 at 01:54
  • @Wes Sayeed I should point out my comment is more about the follow-up phishing and not them accessing your account in the first place. See this Q for more: https://security.stackexchange.com/questions/210045/why-would-someone-open-a-netflix-account-using-my-gmail-address?rq=1 – Beeblebrox Jan 07 '20 at 02:07
  • 1
    Here's the other question is the "sign in attempt" email even legitimate? https://www.techjunkie.com/gmail-login-history/ Bad guys and fake anything else. Also just because they harvested your email doesn't necessarily mean they have you password. I have received 100's of faked apple receipts for iPhones and etc and there ALL fake. – cybernard Jan 07 '20 at 02:18
  • @cybernard "sign in attempt blocked from the Philippines" – schroeder Jan 07 '20 at 08:55
  • 1
    You said the password is unique but not strong. Is it possible you just happened to chose a password that might have been used by others? It might not hurt to put it into [HIBP](https://haveibeenpwned.com/Passwords) to see if they have seen the password used in other places - that might explain how someone guessed it. Either way, I saw your comment about how you feel that your question still isn't really answered, so if nothing shows up in a day or so I'll start a bounty and see if we can get a more direct answer. – Conor Mancone Jan 07 '20 at 15:43
  • 6
    Nobody else mentioned forwarding. It's possible that before Google blocked them the attacker was able to configure your Gmail to forward emails to their own email address. This would allow them to receive copies of the verification emails in the future, and is usually one of the first things attackers do after compromising an email account. – jdgregson Jan 07 '20 at 19:28
  • Also, another way they could have gotten your password is by compromising your computer. You should check for malware just in case. – Stephan Branczyk Jan 08 '20 at 06:53
  • @jdgregson This. One of my colleague got his email account hacked last year, and I advised him to check if there was any new forwarding configuration. You know what? There was one. – Rafalon Jan 08 '20 at 14:24
  • I know for a fact that an unknown leak has happened somewhere. I got a successful login on of my email accounts I use for receiving spam. It shared a password with a lot of things I only used once(those forums where you have to sign up to download something) and am still not concerned about that leaking. But I know that one of these services have somehow compromised that password. – Dr_Bunsen Jan 08 '20 at 15:57

6 Answers6

99

Should I be concerned about this?

Yes.

This should be of concern to you because an attacker was able to obtain the valid password for your Gmail account. From the details of warning you have provided, it looks like it is from fraud detection rather than an OTP failure. If it was an OTP failure, you would have received an OTP when that login attempt was made (unless your OTP delivery mechanism is not email or SMS based).

You should explore the possibility that your password may have leaked. Do a search on HaveIBeenPwned to see if any of the websites where you have used that email were compromised. It is likely that you may have used the same password for signing up to a trivial service and forgot all about it.

The the intention of attacker was not to use your email to enroll these services, rather it looks like an attempt to verify if you are a user of any of those services. Most sign up options would ask you to login instead of sign up if you have an existing account with them. From the looks of it, the attacker wanted to identify the services you are already enrolled to with that email and wanted to try the same password on them.

To sum it up again, yes you should be concerned. You should explore why you are being targeted in the first place and how that initial password compromise may have happened.

scohe001
  • 1,045
  • 2
  • 8
  • 13
hax
  • 3,891
  • 1
  • 16
  • 34
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/103015/discussion-on-answer-by-hax-my-email-address-is-being-used-to-enroll-for-online). – schroeder Jan 08 '20 at 07:35
8

The use of your email to sign up for services might be a coincidence and not being done by the party who logged into your account. I get a dozen of these types of "mistakes" a week from around the world due to my fairly generic email account. So, this set of events might not relate to the person who logged in.

However, there are a couple of scenarios that I see if there is some kind of correlation between the two events:

Scenario 1: Innocent Intent

The logged-in party tried to log into what s/he thought was their account to get access to the email and, using your weak password (as you have admitted), got lucky enough to log in. They have kept on using the email to sign up for things thinking that it is truly theirs.

Along with the dozens of wrong emails I get, I also get quite a lot of "password reset" attempts. While some of those might be hackers trying to get in, the volume, and the fact that they come in bursts, suggests that these are people trying to get into what they think is their own accounts.

The risk in this scenario is very low since everyone involved has no ill intent and things were done by mistake. They might get frustrated that they have lost access to what they thought was theirs.

Scenario 2: Email Harvesting Bot

There are automated scripts out there that try to bruteforce all kinds of accounts for the purposes of selling access to those accounts. I run my own honeypots and I get these all the time. The pattern is that the bot tries to log in, then once login succeeds, it simply stops. Its job is only to register the correct credentials. It is then exposed or sold off to those wanting to use it. In my experience, I see the successful automated brute force which suddenly stops, then days later, I get people logging in from around the world and running malicious scripts by hand. (I do presentations where I show how the hackers work command by command once they gain access. Sometimes it gets quite hilarious.)

With your weak password, one of these bots could have discovered the correct credential, stopped, registered it in a database, then moved on. It might not even know that Google blocked it from going further. Now people are using your email from that database as a known "hacked account" to sign up for services, not knowing that the bot's activity was discovered and you changed the password.

Why seemingly random services? To bypass bans on their main accounts, to launch forum bots, spam bots, reputation or like bots, or a whole host of automated unkindnesses.

The risk here is that your email is now well-known to malicious actors who know about it because they want to exploit it. After a while, they should stop using your email and move on to another of the thousands available. But you are now on a list.

Concern

Should you be concerned? Yes. But only so far as the need to strengthen your password (longer password, 2FA, more monitoring, etc.). It looks like your risks and threats are limited and you have responded appropriately.

Community
  • 1
schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 3
    The "innocent intent" section strikes me as _wildly_ unlikely. The odds that someone from another country would believe that they registered the same email address **and** accidentally guessed the password are just too much coincidence for me. – Michael Jan 08 '20 at 16:03
  • Supporting evidence: How many people in the Philippines need to register an account with a Nissan dealer in Pennsylvania? – Michael Jan 08 '20 at 16:55
  • @Michael it depends on how weak that password really was. The different country point is an odd one to bring up. You have no idea what country the OP is from or if their email account has any cultural connection to the Philippines. I get people signing up for stuff all around the world using my email address. And this is Gmail, it's global. – schroeder Jan 08 '20 at 17:02
  • @Michael lots of Philipinos in Pennsylvania ... – schroeder Jan 08 '20 at 17:04
  • 1
    As to your point about likelihood, once we eliminate the ethnic and national assumptions, the likelihood all comes down to the weakness of the password. The weaker the password, the more likely this becomes. I, too, think the bot is more likely, but the innocent explanation still needs to be considered. Only focusing on the malicious puts blinders on the situation. – schroeder Jan 08 '20 at 17:06
  • 1
    @Michael I have had people innocently sign up for services using my email account *many* times, the worst offence involving someone who registered for a paypal account using my email address in France. Apparently lots of people think that my email address is their email address. If I also happened to use a weak password and didn't have 2FA enabled, I could certainly end up in exactly the situation that schroeder is describing. It may not be the most likely circumstances in all cases (or even this one), but it is still worth discussing. – Conor Mancone Jan 08 '20 at 17:43
  • @schroeder It's true I have no idea where OP is from, but the implication is likely "not the Philippines" and possibly "not Penn." Certainly there can be plenty of Filipinos in Pennsylvania, but the various scenarios that fit a Philippines IP for GMail and then within 2 weeks a Nissan sign-up in Penn are yet a further mental stretch (e.g. VPN, moved to USA in that 2 weeks, buying a car on behalf of someone else, ...) – Michael Jan 08 '20 at 18:23
  • @ConorMancone (and schroeder): I absolutely understand that people mistakenly sign up for things with someone else's email address. There's even [an XKCD](https://xkcd.com/1279/) about it. But the chance that someone did so, for a bunch of sites, within two weeks of a successful and suspicious password guess, are vanishingly small. I presume that OP would have mentioned it if the erroneous sign-ups happened all the time before the message from GMail. – Michael Jan 08 '20 at 18:29
  • In the 18 months since I posted this, those emails have basically ceased, so I think scenario #2 is likely. Thanks for pointing that out and sorry I forgot to award the points until now :-) – Wes Sayeed Oct 31 '21 at 00:01
3

You shouldn't be concerned.

Just as you said yourself, the attacker was blocked and you have changed the password. There are, however, some actions you should take:

  1. Verify that the discovered password does not hint at any other password you may have used anywhere else.
  2. Harden passwords of other accounts you hold that the attacker may deduce from the attacked address.
  3. Try the 'reset password' feature on those sites where the attacker enrolled you. This way you can verify that they in fact did not gain access to your email (by verifying they did not finish the sign up process).

As to your last question, this is a long-shot but it might be an automated system that found out your password and the attacker failed to notice the multi factor authentication(?).

MiaoHatola
  • 2,284
  • 1
  • 15
  • 22
  • 4
    By reset you have premeditated the incident. As priority setup OTP/2FA with Google authentication, and never worry again. Then do it on all the accounts you care about and never lend it to A.Hacker even if she asks nicely. – user2505690 Jan 06 '20 at 06:59
  • In order to better explain the attack to the OP, I would also suggest that the plaintext password could have been discovered after one of several data leaks. Haveibeenpwned provides a service to check whether a plaintext password is known or not. E.g. my old Linkedin password was *pwned*, is publicly known, and is not being used any more. – usr-local-ΕΨΗΕΛΩΝ Jan 07 '20 at 11:23
2

As far as I am aware, MFA only protects your login to the GMail web mail service. If the attacker could successfully guess your password and you have IMAP client access enabled on your GMail account, he would still have had access to your emails up to the time where you changed the password. You should definitely review those access settings, check the trash and sent folders for anything that might have been left by the attacker, and decide further actions based on the findings.

WooShell
  • 145
  • 3
  • 9
    Google's help center implies that accessing via IMAP will require an app password: https://support.google.com/mail/answer/7126229 (details under troubleshooting). I tried connecting my Gmail account via IMAP and wouldn't work without 2FA (Thunderbird appears to support this for Gmail specifically). – joshhendo Jan 07 '20 at 14:51
  • @joshhendo thanks for that clarification. I haven't used GMail for many years now, but it used to work with just the account password back then. Seems this has been fortified since. – WooShell Jan 07 '20 at 14:56
  • 1
    @joshhendo BTW if one doesn't use 2FA for google, one can still use mail password for IMAP access, although gmail will recommend to "disable unsecure app access" and use app passwords instead (at least it worked that way two months ago). – Matija Nalis Jan 07 '20 at 21:48
0

I have been getting "thanks for signing up" emails. But this does not infer that they know my password. Only my email address. My password is random generated about 50 characters, and I have been using 2fa for years. I change it regularly. I just mark them spam and ignore them

Rick9004
  • 1
  • 1
-3

Also, if the attacker didn't gain control of the account, why use it to enroll in all these services?

First of all, some of the spam you are getting might actually be phishing attempts to lure you into revealing your password.

Second reason, and maybe the most obvious: since all those sign-in attempts generate security notifications, the hacker obviously wants to 'drown' those notifications in a deluge of spam. Indeed you are more likely to dismiss the notifications as spam.

Kate
  • 7,092
  • 21
  • 23