Technology

On the Gmail Hack: You Do Not Want This to Happen to You

By James Fallows
Saved Stories

This morning in the email inbox are messages from five new people using Gmail on the "Help! I ,have been mugged at GUN POINT! ,in Spain , please wire me your Moneys now" theme I mentioned earlier. All quite amusing. But I make these points as earnestly as I can:

1) This does not have to happen to you. You can reduce virtually to zero the risk of your Gmail being taken over by applying the free, sophisticated two-step verification process that Google has (admirably) been rolling out in the past few months. I'll spare the details now; the how-to is at their site. The conceptual point is, if you apply this system no one can get into your account remotely.* Not from Tianjin, Lagos, Leningrad, or Los Angeles. That is a huge difference in security, and you can apply it with minimal (though not zero**) bother.

2) You definitely DO NOT WANT this to happen to you. Is there any risk you expose yourself to if your account is taken over, worse than being the source of semi-literate appeals for emergency cash?

Yes. The risk you expose yourself to is the potential unrecoverable loss of all your cloud based data. Someone in control of your account could mark the entirety of its contents for "permanent deletion." (It's easy: you send all messages to Trash; then you press "Empty Trash Now." Poof, it's gone.)  As Google explains on its official Gmail support site, if this happens, then in principle the data cannot be retrieved. Think about that and its ramifications for a moment. I don't know whether that has happened to the five people I received emails from this morning. But I know of at least four people it has happened to in the past week.

3) There are other ways you can back up your data. As that same official Gmail posting says, you can make local copies, on your own computer's hard drive. You do this using POP or IMAP protocols, to make copies to an email client like Outlook, Apple Mail, Thunderbird, whatever. You can follow the how-to instructions from the Gmail site. I've done this for years, just because of paranoia left over from the dawn-of-computing era. You're never sorry to have another copy of something you don't want to lose.

Bonus reading: a series of wonderful posts on the Gordon's Tech site, from someone who now uses the two-step system and whose Gmail account was hacked last year, gives you all the detail I'm skipping about security measures that make sense and don't. For instance: his experience in applying the two-step system; how to think about passwords if you apply this system (summary: you can go back to an easy, "weak" password, since it's no longer the main defense) and related password thoughts; and lessons of being hacked.

A friend wrote last night to say: this two-step stuff seems like a bother. Is it worth it? Consider point #2 above, and answer the question for yourself.

* The conceptual point is: without the two-step process, anyone who guesses or cracks your password can get into your account, from any computer anywhere in the world. With the two-step process, a hacker would need your password and also physical control of your own normal computer, on which you had previously entered the code, or your own mobile phone that receives new authorization codes. It could still happen, after a theft or break-in. But no one sitting in an internet cafe overseas could get into your files.

** UPDATE: The one part of the process that is cumbersome is entering "Application-specific passwords" for certain devices or applications other than your normal email site. In my case, I had to enter, once-only, this different code to get Gmail on: my Android phone, my iPad, my Thunderbird and CloudMagic programs that log into Gmail; and some others. Prepare for this one hassle, which the Gordon's Tech site covers, plus official instructions from Google. Here is another entreaty from PCWorld about why the hassle is worthwhile.

Also, see The Guardian on whether these attacks are ripple effects of the mammoth Gawker hack last December, which revealed user names, email addresses, and passwords for more than a million people.