Hacking Epidemic: No Joke, Lock Down Your Gmail Now

Two days ago my wife's Gmail account was taken over, with quite sweeping effects. SEE UPDATE BELOW. Yesterday I mentioned the two simple steps Gmail users could take to minimize the chance of such an attack, or recover more quickly if it happened.

Just in the past hour, I have received phishing messages from the Gmail accounts of ~~two~~ ~~three four~~ ~~five~~ six other friends -- starting with one in California and one in Texas -- whose accounts must have been hacked in just the same way. The (implausible) "I've been mugged in Madrid, Spain!" pitch is almost identical to the one that went out from my wife's account. The messages have also been jiggered in a way similar to (but with an interesting difference from) hers. In all cases, the "Reply To:" address has been changed on these messages, so that if you hit Reply your response goes not to the sender but to a dummy address. For my wife's case, the dummy address was a Gmail account that was a slight misspelling of her name. In these two new cases, the return address is @ymail.com rather than @gmail.com -- that is, a Yahoo mail rather than Gmail account. A message appearing to come from MyFriend@gmail.com would direct its replies to MyFriend@ymail.com. These alterations are normally concealed, but you can see them if you press the "Show details" button in Gmail.

These California friends of mine do not know the Texas friend. One of them has never corresponded with my wife. So this isn't just some ripple effect spreading from her network of contacts. I am getting these messages because I happen to be in ~~both~~ all of their address lists. At least anecdotally, something bigger would appear to be going on. Perhaps a new Gmail hack or password-capture system? Related to the mammoth Epsilon hack? Each sounds unlikely, but who knows.

But even if this is purely anecdotal and coincidental, why take a risk? If you use Gmail, protect yourself now. Change your password. Now. If you can, switch to two-step verification, as explained yesterday. Be absolutely sure you have extra "password recovery contacts," also as explained yesterday. Also, when you are on the "mail settings" of Gmail making these changes, check the "Forwarding / IMAP" tab to make sure your mail is not being forwarded someplace you don't want.

This is all a minor nuisance. Believe me, it is less of a nuisance than the ones you will be dealing with if the entire contents of your archived mail are in someone else's hands. More about this later.

Here is the phishing note just now from one of my friends' accounts, slightly altered from the one sent when my wife's account was taken over:

>>I'm sorry for this sudden request, It's because things actually got out of control. I'm Madrid, Spain. I came down here for a confrenece, i was mugged and all my belongings including cellphone and credit card were all stolen at "GUN POINT". It's such a traumatic experience for me. I need your help flying back home as i am trying to raise some money.

I've contacted my bank but the best they could do was to send me a new card in the mail which will take 2-4 working days to arrive here from [my friend's real home town, in Texas]. I need you to lend me some Money to sort my self out of this predicament, i will pay back once i get this over with because i need to make a last minute flight.

Western Union or MoneyGram is the fastest option to wire funds to me. Let me know if you need my details(Full names/location) to effect a transfer. You can reach me via hotel's desk phone and the number is, +34 981 600916891.

Waiting to hear from you,

[My friend's real nickname] <<

Do. It. Now.

UPDATE: In response to some queries, at least in my wife's case this is not just a matter of innocently spoofing her email address as the "from" line of phishing messages. Someone else had complete control of all her online data for a number of hours, with harmful consequences I will detail later. Maybe that has not happened to the people I've heard from today, but if it has, it's something you want to avoid for yourself.

About the Author

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne.

More comfortable online than out partying, post-Millennials are safer, physically, than adolescents have ever been. But they’re on the brink of a mental-health crisis.

One day last summer, around noon, I called Athena, a 13-year-old who lives in Houston, Texas. She answered her phone—she’s had an iPhone since she was 11—sounding as if she’d just woken up. We chatted about her favorite songs and TV shows, and I asked her what she likes to do with her friends. “We go to the mall,” she said. “Do your parents drop you off?,” I asked, recalling my own middle-school days, in the 1980s, when I’d enjoy a few parent-free hours shopping with my friends. “No—I go with my family,” she replied. “We’ll go with my mom and brothers and walk a little behind them. I just have to tell my mom where we’re going. I have to check in every hour or every 30 minutes.”

Those mall trips are infrequent—about once a month. More often, Athena and her friends spend time together on their phones, unchaperoned. Unlike the teens of my generation, who might have spent an evening tying up the family landline with gossip, they talk on Snapchat, the smartphone app that allows users to send pictures and videos that quickly disappear. They make sure to keep up their Snapstreaks, which show how many days in a row they have Snapchatted with each other. Sometimes they save screenshots of particularly ridiculous pictures of friends. “It’s good blackmail,” Athena said. (Because she’s a minor, I’m not using her real name.) She told me she’d spent most of the summer hanging out alone in her room with her phone. That’s just the way her generation is, she said. “We didn’t have a choice to know any life without iPads or iPhones. I think we like our phones more than we like actual people.”