Gmail hacked by cyber-spies? Google issues security warning for state-sponsored attacks

Finding out your Gmail account was hacked would be bad news, but how about if that attack was from suspected state-sponsored hackers? "


Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer." If Google suspects you've been targeted by such bad actors, then Google Online Security Blog announced you will see that warning in Gmail.

Google VP Security Engineer Eric Grosse wrote, "If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account." However he also makes it clear that if users see that warning, it does not imply "Google's internal systems have been compromised."

Grosse goes on to state what "you should do immediately" after learning cybercriminals or cyberspies are out to get you. If you see the potential state-sponsored attack warning:

Create a unique password that has a good mix of capital and lowercase letters, as well punctuation marks and numbers; enable 2-step verification as additional security; and update your browser, operating system, plugins, and document editors. Attackers often send links to fake sign-in pages to try to steal your password, so be careful about where you sign in to Google and look for in your browser bar.

When it comes to setting up a unique password, software architect and Microsoft MVP Troy Hunt wrote, "The only secure password is the one you can't remember." Hunt had analyzed passwords from the Sony and Gawker breaches, as well as from LulzSec dumps, before declaring that those passwords were commonly easy to remember choices such as names or places. 25% of the passwords he studied were derived directly from dictionary words, making it that much easier to break with a brute force dictionary attack. Less than 1% were truly random passwords.

VentureBeat recently reported we are all a bunch of idiots when it comes to password security. "No matter how old you are or what language you speak, your password probably sucks." The University of Cambridge studied 70 million user-chosen Yahoo passwords and then published "The science of guessing" [PDF]. It doesn't overly matter what type of account the password protects, as even "factors increasing security motivation like registering a payment card only seem to nudge users away from the weakest passwords, and a limited natural experiment on actively encouraging stronger passwords seems to have made little difference."

So please be wise about passwords, especially if Google alerts you to being a state-sponsored target. A Google staffer gave Forbes a sample of advice that targeted Gmail users will receive from Google:

It's likely that you received emails containing malicious attachments, links to malicious software downloads, or links to fake websites that are designed to steal your passwords or other personal information. For example, attackers have often been known to send PDF files, Office documents, or RAR files with malicious contents. We strongly recommend that you avoid clicking links or attachments in suspicious messages.

Google won't define precisely how it can tell the malicious activity is a state-sponsored attack, since doing so would help bad actors evade detection. However, Google security blog reported, "When we have specific intelligence-either directly from users or from our own monitoring efforts-we show clear warning signs and put in place extra roadblocks to thwart these bad actors." Furthermore, Grosse said, "We believe it is our duty to be proactive in notifying users about attacks or potential attacks so that they can take action to protect their information." 

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon