How to prevent an account Hi-jack?

N.Knight · May 3, 2014

Hello
I got a message from google that someone attempted a sign-in into my account using a mobile device or some other thing. The message also said the person could have been a hijacker.

This has happened to me for the first time. I don't know how to deal with this situation. I have changed my password. Is there something else that needs to be done to safeguard my account.

The details of the Hijacker:
Friday, May 2, 2014 7:18:33 PM UTC
IP Address: 62.148.150.175
Location: Kaluga, Russia

GhostWolf · May 3, 2014

If your email is terribly important to you, use a long password (length plays a much bigger role than "complexity" (where complexity might be considered having numbers and special characters)).
If your email is even more terribly important to you, use a two-step login.

Or you can most likely discard this as a random bot or some such and ignore it.

loxie · May 3, 2014

Generally keep a good password policy. Change your password whenever attacked. Make sure to change it weekly/monthly for all your accounts. You can use software to make this transition easier, but there's nothing better than simply typing up your own password.

Dr Super Good · May 4, 2014

They might have keylogged you from something else in the browser at the time of login. It might also have been an inside personal information leak.

Whatever you do, do not use any links sent in the email to change your password as the emails themselves can be fake (from an address that sounds official but clearly is a spoof) and the link provided will direct you to a spoof site that will steal your password.

N.Knight · May 4, 2014

Thank you for replying friends

GhostWolf said:
If your email is even more terribly important to you, use a two-step login.

Followed your suggestion and now I have a two-step login.

loxie said:
Generally keep a good password policy....

I will keep that in mind too.

Dr Super Good said:
They might have keylogged you from something else in the browser at the time of login. It might also have been an inside personal information leak.

Whatever you do, do not use any links sent in the email to change your password as the emails themselves can be fake (from an address that sounds official but clearly is a spoof) and the link provided will direct you to a spoof site that will steal your password.

I don't know why someone would hijack an account like mine. I use it only for academic purposes. Namely sending and receiving research papers and study material. I have read that terrorist use hijacked emails to send threats to governments. I would never like to get embroiled in something like that.
After reading your post I am scared a bit because I did follow a link to change security settings but it was supposed to be from google. I hope it was not those 'password thieves'.

Dr Super Good · May 4, 2014

I don't know why someone would hijack an account like mine.

You might be some rich old guy who uses it for banking and has multiple millions dollars to take, I mean give away.

I have read that terrorist use hijacked emails to send threats to governments.

No... They generally use anonymous emails or third parties. They cannot afford hacked accounts as fraud crime pays too much compared to terrorism. I think you have been watching too many American crime dramas.

I would never like to get embroiled in something like that.

Well I am pretty sure no government would honestly think you were the poster, especially if they had any form of counter terrorist unit. Well maybe except for the United States of America but luckily we do not live there

. If you do live there then um... Well just move on to the next section.

After reading your post I am scared a bit because I did follow a link to change security settings but it was supposed to be from google. I hope it was not those 'password thieves'.

Probably was, I advise logging into Google now using their official site and changing password to something completely new from there just to be sure. Even if the password you "changed" is your new password they might be trying to execute a man in the middle attack (the site you visited then forwarded the input to the official site while taking copies to try and disguise the fact that it was a scam) so they can use your account later (after they have sold it, the people who gather the accounts do not use them and instead sell them on for money).

Velmarshal · May 7, 2014

If you have gmail, change your password and turn on the "two step verification login". Every time you log in, you will need to input your password and the security code which you will recieve on your phone via sms from google. And no, it doesn't add any additional costs.

You should also check your recovery email in case it was compromised.

Dr Super Good · May 7, 2014

Every time you log in, you will need to input your password and the security code which you will recieve on your phone via sms from google.

This makes some pretty serious false assumptions...
1. Everyone carries their phone around with them all the time.
2. People like wasting an extra minute to log in.
3. This feature cannot be used against you if you do not want to use it.

GhostWolf · May 7, 2014

Dr Super Good said:
This makes some pretty serious false assumptions...
1. Everyone carries their phone around with them all the time.
2. People like wasting an extra minute to log in.
3. This feature cannot be used against you if you do not want to use it.

1. If you enabled it, you probably do.
2. If you have sensitive data on your email (which might even just be your contacts, in case you are a somebody in this world), those extra 10 seconds might be worth it.
3. I don't understand what you wrote.

Zwiebelchen · May 9, 2014

SMS authorizer pins have a serious flaw:
If your phone breaks, you are unable to login anymore. And disabling the option for the authorizer requires to login first...

Velmarshal · May 9, 2014

Zwiebelchen said:
SMS authorizer pins have a serious flaw:
If your phone breaks, you are unable to login anymore. And disabling the option for the authorizer requires to login first...

You get 10 single use backup codes, in case your phone gets stolen, broken or bricked. You can use those codes to log in and change the settings if needed. You can generate 10 backup codes any time you want, they get generated when you turn on the two step verification the first time, you just need to write them down or save them to a notepad file somewhere.

And ghostwolf pretty much said what I intended to.

Chaosy · May 10, 2014

well, long password with numbers and capitals letters. This goes for the email as well. Some games offers additional security too, like SMS protect which basically means that you get a SMS when someone else log into your account + you can reset your password from the mobile.

s4nji · May 11, 2014

Additionally, it's a good idea to start using password manager applications if you haven't.

Some pretty good reasons why you should use a password manager:
How is password management software such as LastPass or 1Password more secure than the traditional approach?

How to prevent an account Hi-jack?

N.Knight

N.Knight

Resources

GhostWolf

GhostWolf

Resources

loxie

loxie

Dr Super Good

Dr Super Good

Resources

N.Knight

N.Knight

Resources

Dr Super Good

Dr Super Good

Resources

Velmarshal

Velmarshal

Dr Super Good

Dr Super Good

Resources

GhostWolf

GhostWolf

Resources

Zwiebelchen

Zwiebelchen

Resources

Velmarshal

Velmarshal

Chaosy

Chaosy

Resources

s4nji

s4nji

Resources

Similar threads