Possible gmail security breach. Please help.

jamesra

I sent the email that follows to the only Gmail support address I could find. Normally I would simply dig through support doc until the end of time, but nothing on the Gmail help site points me in even a faintly correct or correct seeming direction and I'm pretty concerned. The email I'm going to quote below summarizes my problem as best I can. I've tried everything I can think of, and while I may well have missed something (so yeah, run the obvious) I'm pretty sure I haven't and I'm experienced enough to have a pretty long list before I run out of obvious. If I cant' fix this soon, I'm going to have to try and run my own mail server again, which will be maddening and unreliable and basically less good on most levels, but at least will belong to me. Email below:

---

Sorry for the subject line. But I am extremely disturbed. I am getting this message from the chat window:

"Oops! You are not invisible because you're logged into Google Talk from another client, device, or location that doesn't support invisibility."

However, no other devices that I use to log into Gmail or other Google services are currently even turned on. Further, I have ordered all sessions other than my current one to log out. The message persists. I cannot find any advice on the help site, nor anything that looks remotely applicable, and this feels more urgent than something that can be dealt with at length. No other strange activity seems to be taking place. I have changed my password, and revoked all one-time credentials. Still, it persists.

FYI, I do use 2-factor authentication on this account. There are currently no applications that should have access to gmail other than my iPhone and ipad iOS gmail apps. There are a couple of currently unused apps that have sought access to gmail accounts to do their thing, but they are either local to this machine or used to communicate between this machine and an iOS device (said devices being turned off). All one time credentials have been revoked. It feels not like I've been hacked or phished or otherwise attacked, but as though I've somehow been... infected with some kind of server side worm. It is scaring the shit out of me, frankly. Getting attacked is bad enough. Being unable to even accept the damage and move on is vastly more terrifying, and nothing that I can do

As I wrote this, after changing my password, the gchat session briefly shifted to invisible. My session then reset and it returned to its current, disturbing state.

Please help. I'm extremely alarmed that nothing I do seems to stop some unknown device from accessing my account. As indicated, I'm really concerned.

---

As you can see, as I was writing that I was still troubleshooting. I haven't a clue what is causing this and it is really making me antsy. I did have my iPad stolen on the 20th of Febuaray (I've replaced it) but I wiped it as soon as it became evident that the person who'd stolen it was really a thief and not just an opportunist or someone with good intentions. (ie, they had really stolen it when my back was turned --slightly more complex, but that gets the jist -- rather than my being absent minded). There were at most 45 minutes (and probably more like 15) between knowing it was stolen and wiping it. The thief never got off the bus while it had data on it, in any case[1]. And it was locked from the start.

As I said in the email, I'm really distressed by this. I keep telling myself it is nothing, but it has now been almost two days and I'm getting pretty freaked out. I'm afraid that I can't even log this mystery device/user/process out. This shouldn't even be logically possible, as far as I can tell.

[1] Find my iPhone+ a nearly exhaustive knowledge of Chicago transit routes. I knew that being a transit nerd would be helpful someday, although I was hoping for something more helpful and more dramatic.

Shadowhope

1. Change your password.
2. Ensure that you have control of all of the devices used for two-factor authentication.
3. If you have a backup e-mail for account recovery, ensure that that e-mail is also secure.

If all of that is done, you should be fine.

ASimPerson

Well, you said it was okay to run through the obvious...

I got the message as well until I signed out of the account on Pidgin.

jamesra

Shadowhope: I've done all that, which is why I'm alarmed. I kinda want someone to tell me it is a known bug. I feel betwixt and between; going the full nutjob and completely redirecting all traffic to some new account might be the thing to do, but it would have hideous consequences. I've had this account for almost a decade and I've be really careful with it and have never been in danger via it; I run almost all the e-parts of my life through it. Including PA, of course (although as much as I love the PA forums, that is in some ways the least scary part to lose; worst comes to worst I could build a new ID, adopt a sig and trust in my faith that the mods are not assholes and would understand the difference between a backup and an alt) but beyond PA and the obvious, it is much of my romantic history, bits and pieces of text, old love letters old arguments, old lessons. This may seem stupid, but I've got a great deal of personal history in there and even if I move my account off there and counter the obvious vulnerabilities in the material world (for want of a less hackneyed phrase) the historical stuff is almost more important.

(What comes next is a: longer than I like, and talks about a lot of personal shit that is tedious and for which I merit no sympathy BUT b: essential to understand why I am so concerned. Or at least essential to me.
This probably merits some unpacking. So: Like a non-trivial number of people who experienced child abuse (in my case some physical but the really vicious stuff was emotional coupled with the threat/certainty of physical harm) several of my early relationships featured abuse prominently. Well, two, plus some sketchy moments. The second of these involved a woman I will name Echo for this conversation. Echo has hated me with a deep passion for years, for reasons I understand but cannot make coherent. During our time together she was an violent and abusive drunk who viewed my attempting to care for her as her just due for having slept with me a dozen or so times and for having not slapped me when I had looked across a bar at her and found her quite staggeringly attractive. (And I should say, in her defense,: while she was really awful to me, I think it was mostly because I was a transition person for her; she had a pretty shitty personal history and was and is pretty damaged herself. Emotionally, I know I deserved it. intellectually I know that this is false. Erm.) So anyway, Echo sobered up after we parted company, which was a long and complex story of its own. Eventually she got a partial liver transplant, joined AA, began calling me to scream at me that I was the cause of her problems (I wasn't. She had substance problems when we met, although it is true that by the end I was routinely bringing home her handle of vodka 5 days out of seven. It as also true I used to try and get her drunk enough to pass out before she got angry enough for screaming, so that I could game or read or just sleep. So she's got something on me; I could have refused to enable but I was too lazy and cowardly.

In any event, Echo hates the shit out of me. I'm pretty kinky, and after her for the first time I started to explore that. I made some piss poor decisions and I got what I deserve (Specifically, about five years ago I went to meet a woman who claimed to be a submissive {I code as a dom. Which I know. But I'm really not an abusive asshole. Really. My kink is different}, who I met on younder internet and talked to on the phone and how sounded reasonable. So I went to pick her up and then she came on strong, and then I was attacked by several people to whom she owed money/hoped to get more crack from. As she had a crack problem. So for the next 8-ish hours I was raped and tortured for money I did not have and for the location of a woman who they could get money and entertainment from. I evaded the later request and expected to die. I was terribly afraid I would scream and beg and give up someone else to this, but in the event the police came --the former IT guy who they had dragged in to explain electronic money transfers had decided we were both doomed and when he was at the Western Union getting some of the money they had stolen had someone call the cops. So thank god for crack addicts with judgement).

I mention that for two reasons. Maybe more; this is the first time I've talked about any of this in any meaningful way. But the reason I'm worried is that a) after it happened, Echo got her husband/boyfriend/whatever to hack my computer, which was easy because I was still trying to help her and email everyone I knew telling them how I deserved it. And I fought back and she went away . And now this happened, and tonight I got call and call and cal telling me that she was going to get me good, that eveyone was going to know what a perv I am and on and one. I blocked her, but she keeps coming from different numbers.

I can deal with the phone thing. But if she gets/has my email account she can seriously fuck up my life.

And I know that much of that story was irrelevant. But I have never told it. And I don't expect anyone to care. But its been almost five years and having started I guess I just wanted to. I'm sorry to have bothered you. Thank you for any help with my Gmail.

Echo

Hey now, leave me out of our relationship.

jamesra

Echo wrote: »

Hey now, leave me out of our relationship.

Shit. I'm so sorry. I'll try and think of something else; I needed something bland that used an initial that I could associate easily. May I have until after I've slept? I'm pretty fucked up; she's calling everyone I know. I don't even know if the axis is via Gmail; it just seems likely.

I'm so, so sorry. I didn't think about handles here all. I'll try and find a way to make it up to you.

ceres

Okay, first, calm down. Echo is a grown-up, and he's joshing you. Do you have the mobile authenticator for gmail? If you are really concerned that someone is in your email and you don't have it, get it immediately. If you do have it, there is no practical way that a normal person get into your gmail without access to both your password and your authenticator. I think that chances are you're a little on the paranoid side here, but better safe than sorry and it should give you some piece of mind.

I can talk to Tube about you getting a new PA account if you really want, but honestly I don't think he'll go for it because it's simply not necessary. Change your password to something new, but other than that there's really nothing anyone can do to your posting history here. Technically, you should change all of your passwords to everywhere periodically anyway.

As far as your history on gmail goes, get your authenticator if you haven't, but if you have and you're still worried you can always make a new account you don't share with anyone, forward everything to it, and then delete it off your original account so it won't be there for someone to use for whatever nefarious purpose you or they might be able to imagine. You can continue to use your current address, but if you're worried about losing years worth of stuff you can at least back it up even if you don't want to delete it.

Also, quit blocking her, it's not worth the hassle. Just change your number. If you're like me and save every fucking thing and don't want to have to tell everyone a new number it may be hard to do, but living with this kind of harassment is not worth it, and you will breathe so, so much easier. Also consider going to the police and trying to get a restraining order if none of that works. Start a paper trail, at least. As for your friends, they probably have the idea by now that something is not right there. It will be a pain in the ass, but they won't fault you for this. MAKE SURE YOU ARE NO LONGER IN CONTACT WITH HER BY ANY MEANS POSSIBLE. Don't talk to her, don't try to help her, DO NOT ENGAGE. You are being stalked, and you need to treat it seriously and talk to the police.

Finally: therapy, nao. You need it. You need it to get through your past, and you need it for this. You need someone you can talk to on a regular basis to pick through some of this stuff and help you come out the other side. Speaking as someone who has seen some shit, done a few years of therapy, and probably could stand to have a few more when there's money for it, there is shit going on in there you don't even know is happening. The chances you will come through all of this without having it affect the rest of your life emotionally are not great. Do yourself a favor and let yourself get all the help you can.