Your Gmail Hacking Finale: Official Advice From Google

In the week and a half since my wife's Gmail account was taken over, I've learned a lot about "cloud" security in general, the difference between average-user and expert-insider views on the topic, the world geography of hacking, the economic logic and illogic of hacking, the habits that make for "unsafe" and "less unsafe" reliance on the cloud, and so on. I will go into these in greater depth later on, probably in a "real" article.

I've also heard from a broadening stream of people whose accounts have similarly been taken over. The most desperate-sounding are those who have regained control of their Gmail account after a hack, only to find that all the information they thought was eternally nestled in the cloud had disappeared. The embarrassing picture of you at a drunken party will never vanish from the internet, but your working files and correspondence might. This is a generic cloud problem rather than one specific to Gmail, but I'm hearing about it with Gmail cases. For instance:

On Monday, April 11, I woke to a call from my neighbor checking to see that I was safe and had not been mugged in Wales. The call was surprising enough, but the events that followed were devastating. I opened my gmail account a little after 7 am and I believe all my email was intact. I reported the breach and received a link to reset my password. I logged back in and all my email was missing, years of email, not only in the inbox, but the sent mail and dozens of folders of filed mail. In addition, all my contacts disappeared. My folder tree was completely intact, but every folder was empty.
I spent the next hours following every piece of advice I could find on Google support and reported the missing email and contacts and requested that Google try to recover it. On April 12, after filing other reports and giving more information, I received an email saying that Google had retrieved what email it could and that "We unfortunately will not be able to respond to any further emails on this case." The email recovered dated back to February 25th and consisted of mostly email that I had actually deleted and some sent mail, a tiny portion of what was in the account.

What I've learned from this flow of information, much of which I have shoveled on to Google and asked for their response, is that there is a huge gulf between how "normal" people think about their cloud-based email records and what the professionals know. Simply put:

- Normal people think their cloud-based email is safe, conveniently backed up, and easily recoverable if anything goes wrong.

- The pros realize that it is not -- or that it might not be, and that users should protect themselves accordingly.

I think that Google and other companies have under-stressed this reality. In the messages I've received from users who've lost their entire archives, not one has included something like "I always knew this could happen" or "I understood that I needed to have my own back ups, because my online mail might permanently disappear." As I mentioned earlier, I have always made on-disk backups of all my email (with those backups backed up elsewhere), but I was semi-embarrassed about this as primitive, Old World behavior. Unfortunately not.

So, as a public service, plus as a way of sparing myself the chore of explaining this in separate emails to the next 50 people who write in, here is a summary of the on-the-record responses I've gotten from Jay Nancarrow, a Google spokesman, and others there about various email security and recovery issues.

1. The most important thing you can do is protect your own account. And to Google's credit, they now offer, free, a tool that makes it almost impossible for anyone to get into your account remotely, as happened in the cases I have heard about. This tool is the famous "two-factor authorization," for which you can read the official Google description or my reference, or a security-pro's analysis. If you apply this system you can probably stop worrying about this whole nightmare-scenario -- and may not need to keep reading after the jump. (Or, if you're seeing this post on a single page, below.)

1A. Another thing you can do to protect yourself is to make your own local on-disk backups, as I previously described and as Google explains.

1B. And, just for the record, in principle you should never use the same password on more than one site. A Google friend says, "If one uses the same password at and, then when is compromised, that gives criminals your password and often email address to try at; even when reliable is as reliable as Google this would give criminals access. And when your user name at is your email address then using the same password is catastrophic to security. Solution: use a different password absolutely everywhere." I will confess that I have not yet fully implemented this plan.

Presented by

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne. More

James Fallows is based in Washington as a national correspondent for The Atlantic. He has worked for the magazine for nearly 30 years and in that time has also lived in Seattle, Berkeley, Austin, Tokyo, Kuala Lumpur, Shanghai, and Beijing. He was raised in Redlands, California, received his undergraduate degree in American history and literature from Harvard, and received a graduate degree in economics from Oxford as a Rhodes scholar. In addition to working for The Atlantic, he has spent two years as chief White House speechwriter for Jimmy Carter, two years as the editor of US News & World Report, and six months as a program designer at Microsoft. He is an instrument-rated private pilot. He is also now the chair in U.S. media at the U.S. Studies Centre at the University of Sydney, in Australia.

Fallows has been a finalist for the National Magazine Award five times and has won once; he has also won the American Book Award for nonfiction and a N.Y. Emmy award for the documentary series Doing Business in China. He was the founding chairman of the New America Foundation. His recent books Blind Into Baghdad (2006) and Postcards From Tomorrow Square (2009) are based on his writings for The Atlantic. His latest book is China Airborne. He is married to Deborah Fallows, author of the recent book Dreaming in Chinese. They have two married sons.

Fallows welcomes and frequently quotes from reader mail sent via the "Email" button below. Unless you specify otherwise, we consider any incoming mail available for possible quotation -- but not with the sender's real name unless you explicitly state that it may be used. If you are wondering why Fallows does not use a "Comments" field below his posts, please see previous explanations here and here.

Before Tinder, a Tree

Looking for your soulmate? Write a letter to the "Bridegroom's Oak" in Germany.


Before Tinder, a Tree

Looking for your soulmate? Write a letter to the "Bridegroom's Oak" in Germany.


The Health Benefits of Going Outside

People spend too much time indoors. One solution: ecotherapy.


Where High Tech Meets the 1950s

Why did Green Bank, West Virginia, ban wireless signals? For science.


Yes, Quidditch Is Real

How J.K. Rowling's magical sport spread from Hogwarts to college campuses


Would You Live in a Treehouse?

A treehouse can be an ideal office space, vacation rental, and way of reconnecting with your youth.

More in Technology

From This Author

Just In