Recently a friend called and left a panicked voicemail telling me someone in South Africa was sending email from their Gmail account and asking for $2000 cash from all their friends. I told them it sounded like their Gmail account was cracked and we needed to move quickly. It was and we did.
Here's What We Did:
- Immediately went to every other online account they had (including bank, Facebook, Twitter, Comcast, etc.), logged in and changed the email address on the account to something other than the Gmail one and updated the weak password to a stunningly secure one. (Important: If you don't change the email address, they will just keep resetting the password.)
- Reviewed the history of the gmail account on the local computer (searched archived email) and (luckily) found the original welcome message from the Gmail team. (This is one email you will want to hang onto forever! I'll tell you why in a sec.)
- Filled out the form accessed from the main Gmail page by clicking the “Can't access your account” link. (Image 1)
- Entered the Gmail Verification Code (Image 4) that was originally sent in the welcome message when the account was created. (If you have this, you are pretty likely to get your account back fairly easily. Unfortunately, most of us (me!) probably deleted that since we already knew how to use Gmail and didn't need some silly welcome message. Doh!)
- Entered the 5 people they emailed frequently
- Entered the date that they first connected their Droid cell phone account to the Gmail account.
- In about 24 hours we received notice that the account was back under our control.
- Once account access was recovered, we enabled account recovery via SMS on the Google account. This last step is critical (especially if you no longer have your welcome message) and will ensure that, should your account ever be compromised again, it will be far easier to recover it.
- Also checked to see if any forwarders had been set up to forward a copy of incoming email back to the attacker.
Below are the screenshots indicating the sequence required to get to the account recovery form: