Google says someone got my password - what next?

Teggy

Member
Oct 25, 2017
9,716
I just got an alert from google that someone tried to log in with my password. This is a strong password generated by iOS and only used for that one account.

I’ve changed that password, but realistically, what’s my exposure?

I’m not specifically sure how someone could have gotten my password. I was on university guest wi-fi this weekend, so maybe there?

What are the odds that other passwords have been exposed? For anything that matters I have two factor set up.
 

Kthulhu

Member
Oct 25, 2017
8,809
I say just reset it to be safe. Make sure you go though Google's site if possible. If you don't have 2FA setting it up now wouldn't hurt.
 
OP
OP
Teggy

Teggy

Member
Oct 25, 2017
9,716
I say just reset it to be safe. Make sure you go though Google's site if possible. If you don't have 2FA setting it up now wouldn't hurt.
Yeah, I already updated it and have max security on that count. It’s just a bit disconcerting when a complex password somehow gets out. The security a lot of sites have on logins now is very helpful.
 

lake

Member
Oct 27, 2017
717
Google will sometimes generate an alert like this if you attempt to log on from a novel location / IP address. It happens all the time when I use a VPN service. So, it could be a false positive due to the guest Wi-Fi thing.

But not necessarily. Good that you're investigating it.
 
OP
OP
Teggy

Teggy

Member
Oct 25, 2017
9,716
Google will sometimes generate an alert like this if you attempt to log on from a novel location / IP address. It happens all the time when I use a VPN service. So, it could be a false positive due to the guest Wi-Fi thing.

But not necessarily. Good that you're investigating it.
Yeah, timing wise that unfortunately doesn’t line up. I’m at the gym, but later I will see if there is better info in the account. All I saw via my phone was a MAC address.
 

Stinkles

343 Industries
Verified
Oct 25, 2017
12,222
I got a similar message and it was an overzealous warning that was actually me signing in from a rarely used machine. Take a look at your activity log in your google account. It may simply be using chrome at your moms house.

I never received one before but I was able to confirm it was me and where and when it happened.

Something like account settings/activity/more activity but the feature is a bit buried- so make sure you’re looking at the right part.

And double check your time zones-
 
OP
OP
Teggy

Teggy

Member
Oct 25, 2017
9,716
I got a similar message and it was an overzealous warning that was actually me signing in from a rarely used machine. Take a look at your activity log in your google account. It may simply be using chrome at your moms house.
But I haven’t been to my moms house recently AAAAAaaaaaaaa

I will check when I can
 
OP
OP
Teggy

Teggy

Member
Oct 25, 2017
9,716
So I believe what I thought at a glance was a MAC address is actually an IPv6 address. Using whois it maps to 380.com, which brings up a page with Asian characters. Google claims that the attempt was made in "the United States", so who knows if that's accurate.
 

Fiction

Fanthropologist
Moderator
Oct 25, 2017
1,761
Run a scan on your machines to make sure you do not have a keylogger
 

lake

Member
Oct 27, 2017
717
You have 2 factor on, right, OP?

If not, turn on 2 factor, with an app, not with sms
Good advice.

Personally, after enabling 2FA I also suggest finding a good 2FA app (I think andOTP is best, Authy is an OK but less great choice), switching the account to that, and then removing the phone number from the Google account. Phone companies are one of the most easy-to-compromise attack vectors; all it takes is one successful social engineering attempt and the attacker has control of your phone number, and by extension, any associated 2FAs. Bad. News.

Google sucks in that they require you do your initial 2FA setup via the less secure phone-based scheme. Only then do they let you switch to an app. After switching to the app (test it, be sure it works!) you can then remove the phone number from the Google account.

What if your phone's broken or physically stolen? To prepare for that you can both have Google generate a list of one-time-use passwords (guard these closely), and make sure that your 2FA app is making regular, off-device backups of your 2FA secrets (the strings of characters / QR codes you used to setup a given 2FA). As long as you have those secrets backed up somewhere safe you can easily restore them on another device, like a replacement phone.

Authy makes this easiest by integrating cloud-based secrets backup, but when my phone was stolen I actually found Authy's restore process a little too convenient. As in, potentially exploitable by a smart attacker. That's one reason I prefer andOTP. My suggestion is to enable regular andOTP secret backups and then use something like SyncThing (amazing software) to send the backup file somewhere safe.

This may sound like a lot. But it's easily manageable once you get started.
 

Darryl M R

Member
Oct 25, 2017
4,504
How do I know that it's really you OP and not the hacker pretending to be you?

But on a serious note, like others said make sure you have 2FA enabled whenever you can. I'm really concerned that bad actors will try to target cellphone providers soon to gain access to our data. How often does the average person change their phone number? Probably never.
 
OP
OP
Teggy

Teggy

Member
Oct 25, 2017
9,716
You say tried

Did they actually log in and you got the email saying a login happened from a new location.
The way it works with google is if someone tries to log in from a different location and browser with correct login info, it blocks the login and alerts the real owner. If I want to login from a new place I have to open the google app on my phone and confirm that I’m trying to login and also match the number shown on the screen.