At Google I asked Byrant Gehring, of Gmail’s consumer-operations team, how often attacks occur. “Probably in the low thousands,” he said. “Per month?,” I asked. “No, per day,” followed by the reassurance that most were short-lived “hijackings,” used to send spam and phishing messages, and caused little or no damage, unlike our full-out attack. My wife and I, having heard from half a dozen friends who’d recently had similar problems, had innocently imagined that we all were part of some general upsurge in Gmail attacks. In our grandiosity, we thought it was perhaps even aimed at journalists. But according to the experts, while there are more e‑mail attacks worldwide than a year ago, it was mere coincidence that people we knew had been hit around the same time. On average, half a dozen accounts are taken over every two or three minutes, round the clock, including now.
Why are so many accounts so vulnerable? Again we were naive in the assumptions we’d made about our own case. We’d just returned from China, where everything about Internet use in general and Google services in particular is insecure and fraught. Had some malware made its way onto our computers? What about that time my wife entered her Gmail username and password on a public terminal at the airport in Zhuhai? Might it have had a keystroke logger, recording names and passwords for later misuse?
Perhaps it did, but that didn’t seem to be our problem. As in the great majority of hacking cases, my wife had been using the same password for her Gmail account as for some other, less secure sites, where her username was her Gmail address. (Who hasn’t done this?) And one way or another, a list of e‑mail addresses and associated passwords from one of those sites had made its way to hackers. A possible source was the notorious Gawker hack of 2010, when more than a million e‑mail addresses and matching passwords for people who had registered on Gawker sites were stolen. “If you have ever used the same password in more than one place, you have reduced your overall safety record to whichever site had the lowest amount of protection,” Jones told me during my visit. Yet this is an overwhelmingly common practice. An analysis of posted username/password combinations after several recent hacks showed that in two-thirds of the cases, if you knew a user’s password for one site, you knew it for another.
It’s possible, too, that my wife’s password was simply “guessed,” though in a different way from what laymen might assume. Guessing less often involves social engineering—trying your birthday or your hometown or your relatives’ names—than “brute-force attacks,” in which a hacker’s computer tries every word or combination of words in existence, in a variety of languages, to see if it finds a match. From most officials, I heard reminders that if a password can be found in a dictionary, that password is not safe. Andrew Kovacs, communications manager for the Google security staff, added: “And those tricks about changing E’s to threes and O’s to zeros? Sorry to tell you, but the hackers have thought of those too.” Several of the people I spoke with pointed out that brute-force attacks have recently become much more effective, as hackers have taken advantage of the powers of new computer-graphics chips, which can handle certain kinds of computations even more quickly, and with more parallel processes running simultaneously, than a computer’s central processing chip can. These turn out to be the computations necessary for producing password hacks.
My wife’s password was judged as “strong” when she first chose it for use with Gmail. But it was a combination of two short English words followed by numbers, so if it didn’t leak from some other site, it might just have been guessed in a brute-force attack. For reasons too complex to explain here, even some systems, like Gmail’s, that don’t allow intruders to make millions of random guesses at a password can still be vulnerable to brute-force attacks.
Once her password got out, it ended up, according to later sleuthing by officials at Google, in the hands of someone possibly in Cote d’Ivoire but probably in Nigeria. My wife and I could again flatter ourselves that we were the objects of Chinese state security, but the probable truth is more mundane—“it’s like being the victims of pickpockets,” as Jay Nancarrow, of the Gmail team, put it. Why Nigeria? All of the people I spoke with had thought about this question—“I think about it every day,” Bryant Gehring said—and no one had a fully convincing answer. Their hypotheses involved some combination of talent, opportunity, and lack of legal controls. “They have the Internet, they can get rich this way, there’s not really a lot of government enforcement,” Gehring said. “For a lot of crafty people, it can be the best way to make a living.” That could apply to a lot of places, but it seems to be most relevant to West Africa.
In “The Chilling Story of Genius in a Land of Chronic Unemployment,” this past May in TechCrunch, Sarah Lacy portrayed a number of the hackers she had met in Lagos. In other circumstances, she said, the best of them might have been like Sergey Brin or Max Levchin, the immigrants who co-founded Google and PayPal, respectively. They were that clever and technically gifted. Or, more modestly, they could have been like the engineers and managers I’ve met over the years at Google, Microsoft, Intel, and other companies, at least half of whom were born and raised overseas. But these hacking entrepreneurs couldn’t get out of Nigeria, and so they dealt with the outside world via “Mugged in Madrid” messages. Shreyas Doshi, a Google senior project manager, said that the company had run analyses to see how much money the scams might produce. “With a variety of assumptions, we believe they could easily make about $500 a day, if not more,” he said; that many people fall for these scams.
The greatest practical fear for my wife and me was that, even if she eventually managed to retrieve her records, so much of our personal and financial data would be in someone else’s presumably hostile hands that we would spend our remaining years looking over our shoulders, wondering how and when something would be put to damaging use. At some point over the past six years, our correspondence would certainly have included every number or code that was important to us—credit-card numbers, bank-account information, medical info, and any other sensitive data you can imagine.
The long siege of identity theft could still happen, and I have put all the credit-card companies on alert. But a few months into our post-hacking life, we’ve seen no indication of trouble, and according to the Google officials, the hacker would depart from past patterns if he began using the data in the way we most feared. “We haven’t had a major incident with credit-card [numbers obtained from scanning Gmail] yet,” Bryant Gehring said. The economics of hacking are constantly changing, so we are still on guard. But security officials at Google and elsewhere said that for talented hackers in Lagos or Abidjan, it is generally safer and more rewarding to collect money at Western Union, which can be done virtually untraceably, as opposed to poring through e‑mail archives in search of data to create identity-theft schemes. Why, then, did the hacker bother to erase all the archives? “Because he—or she—was a good hacker,” Gehring said. “He wanted to make it harder for you to get in touch with all your contacts and warn them not to send money to Madrid. You remember their names but probably not all their e‑mail addresses.” Many e-mail hackings, whether on Gmail or another major system, involve deletion of mail that arrives after the hijacking; only a destructive minority involve a complete zeroing-out of the archives like what happened to my wife.