Google Apps account compromised and then deleted



  • So I've been pulled into help out a friend that just has his google credentials stolen and they immediately (3-5min after the suspicious login email was received) went ahead and deleted their google apps for work account. I'm not too sure why they would gain access and then just delete the account.



  • Because deleting the account is just as painful for the user, because now you have to deal with Google to recover the account and items.



  • How did the account get compromised?



  • I suppose the good thing is that it was only a couple (if that) users on the domain and not a huge company.

    I'm a little surprised though that Google didn't immediately block the suspicious login attempt. I've had non-super admin accounts get the following when we tried to connect SAP via smtp and I would have hoped for a bit higher security checks on a super admin account.
    0_1459181574262_Screen Shot 2016-03-23 at 17.png



  • I'll just say how sad it is that so much of Google's own infrastructure is difficult or impossible to use their own Authenticator app with!



  • If he had 2fa on this it would have never happened. I've already said that it's the first thing he needs to do on all his accounts. @travisdh1 not sure what is difficult. it's a straight forward thing and has always just worked for not only me but 100s of employees where i've rolled this out in previous roles.



  • @larsen161 said:

    If he had 2fa on this it would have never happened. I've already said that it's the first thing he needs to do on all his accounts. @travisdh1 not sure what is difficult. it's a straight forward thing and has always just worked for not only me but 100s of employees where i've rolled this out in previous roles.

    It may be because I only have a standard gmail account without any of the business offerings, but I've never been able to find the setting to enable 2FA via Authenticator. Now that I look, they do have an option for 2FA via your phone, but it still doesn't use Authenticator like so many other apps do. Leave it to Google to make a great app/product and never use it themselves.

    Yeah, my beef isn't that they don't offer 2FA, it's that they never use their OWN APP. Before they made the "login via your cell phone" available I COULDN'T USE their 2FA because I had no cell service to get an SMS or voice call.



  • @travisdh1 said:

    @larsen161 said:

    If he had 2fa on this it would have never happened. I've already said that it's the first thing he needs to do on all his accounts. @travisdh1 not sure what is difficult. it's a straight forward thing and has always just worked for not only me but 100s of employees where i've rolled this out in previous roles.

    It may be because I only have a standard gmail account without any of the business offerings, but I've never been able to find the setting to enable 2FA via Authenticator. Now that I look, they do have an option for 2FA via your phone, but it still doesn't use Authenticator like so many other apps do. Leave it to Google to make a great app/product and never use it themselves.

    Yeah, my beef isn't that they don't offer 2FA, it's that they never use their OWN APP. Before they made the "login via your cell phone" available I COULDN'T USE their 2FA because I had no cell service to get an SMS or voice call.

    Not sure what you mean? each time I log into google I have to use the app or get a text.



  • @Dashrender said:

    @travisdh1 said:

    @larsen161 said:

    If he had 2fa on this it would have never happened. I've already said that it's the first thing he needs to do on all his accounts. @travisdh1 not sure what is difficult. it's a straight forward thing and has always just worked for not only me but 100s of employees where i've rolled this out in previous roles.

    It may be because I only have a standard gmail account without any of the business offerings, but I've never been able to find the setting to enable 2FA via Authenticator. Now that I look, they do have an option for 2FA via your phone, but it still doesn't use Authenticator like so many other apps do. Leave it to Google to make a great app/product and never use it themselves.

    Yeah, my beef isn't that they don't offer 2FA, it's that they never use their OWN APP. Before they made the "login via your cell phone" available I COULDN'T USE their 2FA because I had no cell service to get an SMS or voice call.

    Not sure what you mean? each time I log into google I have to use the app or get a text.

    Do you have a Google account that's not associated with a business? Go look at the security settings. Try setting up 2-Set Verification. The only options are SMS or Voice.



  • How did the account get compromised is the real question.



  • @travisdh1 said:

    @Dashrender said:

    @travisdh1 said:

    @larsen161 said:

    If he had 2fa on this it would have never happened. I've already said that it's the first thing he needs to do on all his accounts. @travisdh1 not sure what is difficult. it's a straight forward thing and has always just worked for not only me but 100s of employees where i've rolled this out in previous roles.

    It may be because I only have a standard gmail account without any of the business offerings, but I've never been able to find the setting to enable 2FA via Authenticator. Now that I look, they do have an option for 2FA via your phone, but it still doesn't use Authenticator like so many other apps do. Leave it to Google to make a great app/product and never use it themselves.

    Yeah, my beef isn't that they don't offer 2FA, it's that they never use their OWN APP. Before they made the "login via your cell phone" available I COULDN'T USE their 2FA because I had no cell service to get an SMS or voice call.

    Not sure what you mean? each time I log into google I have to use the app or get a text.

    Do you have a Google account that's not associated with a business? Go look at the security settings. Try setting up 2-Set Verification. The only options are SMS or Voice.

    My account is only non business, I don't have a google Apps account.



  • @Dashrender said:

    @travisdh1 said:

    @Dashrender said:

    @travisdh1 said:

    @larsen161 said:

    If he had 2fa on this it would have never happened. I've already said that it's the first thing he needs to do on all his accounts. @travisdh1 not sure what is difficult. it's a straight forward thing and has always just worked for not only me but 100s of employees where i've rolled this out in previous roles.

    It may be because I only have a standard gmail account without any of the business offerings, but I've never been able to find the setting to enable 2FA via Authenticator. Now that I look, they do have an option for 2FA via your phone, but it still doesn't use Authenticator like so many other apps do. Leave it to Google to make a great app/product and never use it themselves.

    Yeah, my beef isn't that they don't offer 2FA, it's that they never use their OWN APP. Before they made the "login via your cell phone" available I COULDN'T USE their 2FA because I had no cell service to get an SMS or voice call.

    Not sure what you mean? each time I log into google I have to use the app or get a text.

    Do you have a Google account that's not associated with a business? Go look at the security settings. Try setting up 2-Set Verification. The only options are SMS or Voice.

    My account is only non business, I don't have a google Apps account.

    Thus my b****** about only having SMS/Voice for 2FA. Doesn't help when you don't have any phone service!



  • @travisdh1 so the initial setup does require you to setup via voice or sms confirmation. you don't have to have a mobile device to do this. you can have it call a landline number. once you initially configure it you then have the option to transition to the authenticator app as primary and use sms/voice as backup.
    0_1459261334567_Screen Shot 2016-03-29 at 15.17.42.png



  • @larsen161 That's really not so nice on they're part. At least I know now. "Knowing is half the battle!"



  • @dafyre said:

    How did the account get compromised is the real question.

    At the moment we think it's down to an expired primary domain registration and Google allowing a password reset via a DNS validation: https://support.google.com/a/answer/33561?hl=en

    The primary domain became unused and left to expire as the secondary was the main email used by the company.

    Looks like the 'guy' has done this with a lot of domains all at once: http://domainbigdata.com/email/[email protected]


  • Banned

    How could they delete the google apps account? Only the admin can If setup right



  • @Jason said:

    How could they delete the google apps account? Only the admin can If setup right

    If they buy the domain from a registrar, they can change the backup administrator for the domain and get access that way, I think.


  • Banned

    @dafyre said:

    @Jason said:

    How could they delete the google apps account? Only the admin can If setup right

    If they buy the domain from a registrar, they can change the backup administrator for the domain and get access that way, I think.

    If that Happened it means the domain wasn't locked and he let it expire so that's his own fault. It's not really His google apps anymore truly. If he wanted to make his own google apps account on the domain he now owns he'd have to delete the old one first.


Log in to reply