March 24, 2010

Detecting suspicious account activity

(Cross-posted from the Gmail Blog)



A few weeks ago, I got an email presumably from a friend stuck in London asking for some money to help him out. It turned out that the email was sent by a scammer who had hijacked my friend's account. By reading his email, the scammer had figured out my friend's whereabouts and was emailing all of his contacts. Here at Google, we work hard to protect Gmail accounts against this kind of abuse. Today we're introducing a new feature to notify you when we detect suspicious login activity on your account.

You may remember that a while back we launched remote sign out and information about recent account activity to help you understand and manage your account usage. This information is still at the bottom of your inbox. Now, if it looks like something unusual is going on with your account, we’ll also alert you by posting a warning message saying, "Warning: We believe your account was last accessed from…" along with the geographic region that we can best associate with the access.


To determine when to display this message, our automated system matches the relevant IP address, logged per the Gmail privacy policy, to a broad geographical location. While we don't have the capability to determine the specific location from which an account is accessed, a login appearing to come from one country and occurring a few hours after a login from another country may trigger an alert.

By clicking on the "Details" link next to the message, you'll see the last account activity window that you're used to, along with the most recent access points.


If you think your account has been compromised, you can change your password from the same window. Or, if you know it was legitimate access (e.g. you were traveling, your husband/wife who accesses the account was also traveling, etc.), you can click "Dismiss" to remove the message.

Keep in mind that these notifications are meant to alert you of suspicious activity but are not a replacement for account security best practices. If you'd like more information on account security, read these tips on keeping your information secure or visit the Google Online Security Blog.

Finally, we know that security is also a top priority for businesses and schools, and we look forward to offering this feature to Google Apps customers once we have gathered and incorporated their feedback.

57 comments:

  1. How do you plan to do if someone is sometimes connected through a VNP which is situated abroad ?

    ReplyDelete
  2. Just out of interest, is this message only shown to someone that logs in again with the original IP address range? And are they the only person that can dismiss this message?

    If not, it would be trivial for a hacker to dismiss the alert without the account owner ever seeing it.

    ReplyDelete
  3. This is a great addition! I would still like to see an option verify via SMS when making any changes to passwords and recovery options. If a hostile person gains access to your account by knowing your password, they could quickly change it and all your recovery options before you even see the alert, potentially losing access to your account for good. (this happened to my fiancée)

    ReplyDelete
  4. It would be even better if the "connection detail" window had support for IPv6.

    Currently it doesn't even show the hex address, it just shows "unavailable".

    (the help would need to be fixed, there are some information that is only relevant to IPv4)

    ReplyDelete
  5. This is a step in the right direction, but I was really hoping that one could configure Gmail to require Captcha or some other challenge/response if attempting to log in from some unusual location or IP address (based on previous activity).

    How you implement this is up to you... maybe I could opt into such a service that would "reject" my valid authentication credentials (as if it wasn't correct) and ask me to enter it again... this time with a Captcha.

    ReplyDelete
  6. My email account jesseinfo@gmail.com was taken over this morning and they started sending out emails like the one mentioned. I filled in the gmail form but the gmail team did not believe I was the owner of the account. All I want is for the account to be permanently close. Please help me!

    ReplyDelete
  7. I'm trusting that google has made this system so its intelligent enough to notify the actual account holder of access discrepancies, rather than the attacker - who'd love to change your password immediately. This would be done, of course, by the same method of ip recognition, such that when you access via a familiar IP you receive the message, allowing you to change your password.

    ReplyDelete
  8. Suppose my account has been compromised and I the warning message get displayed. Can't just hacker click the "ignore" at the above red warning message and the notification about stolen identity will be dismissed or am I missing something...?

    ReplyDelete
  9. This is great. Another nice feature would be assist the user in geolocating the origin of incoming emails. This would help greatly against phishing campaigns if the user could see that really nice deal from PayPal originated in Nigeria.

    ReplyDelete
  10. Great in theory this sounds very good, but will users have the options to white list an incident trigger. For e.g when using proxy's or corporate/personal VPN's???

    What about proxy relay networks such as TOR that hope server/locations???

    ReplyDelete
  11. It would be great if you could use derived location on the mobile devices based on their wifi/gps/cell towers to refine the location of the usage rather than the broad geo info based on IP address.

    ReplyDelete
  12. Will there be a way to permanently add an authorized location? For example, a person lives in San Jose California, but his office proxy is in NY City. If he checks his email from the office with its IP geolocated to NYC, then drives home and 30 minutes later checks his email from home with his IP geolocation of San Jose, will he constantly be getting warnings or can he add both locations as valid or "safe"?

    ReplyDelete
  13. I recently got hacked by the London guy. These security tips don't really help because he changed my password so I couldn't log in and is currently sending emails with another account.

    Does anyone know how to disable sending emails from alternate addresses?

    My understanding is that you can type in an alternate email address and all gmail does is email's the other address to "Confirm" that its yours. The only way to stop this is by ending it on the other email address.

    Problem is, the hacker has access to his personal account, with which he can still send emails from pretending to be me.

    ReplyDelete
  14. This is a feature I'll hopefully never use - and paradoxically, one its great to have.

    GeoIP databases have been around for years, the IPs are logged anyway - and yet of all the online services I use (banking, ecommerce) Gmail is the only that will warn me if this sort of thing happens.

    Nice one, Gmail team.

    ReplyDelete
  15. hello , i received a email from my wife this morning with the same warning you showing here Pavni Diwanji, Engineering Director
    ( Detecting suspicious account activity ) , the person is been sending email everybody in her contact list and my wife is not in the town , wht should i do everyone is calling me , can u please help me

    ReplyDelete
  16. I often get messages to compromise my information through gmail.
    I'm thankful that those in charge of gmail accounts have been doing a great job filtering these spam garbage emails.

    ReplyDelete
  17. This is a great feature but does it stop someone from using a your ISP address as proxy address and then logging on ?

    In friend circle this can happen when someone has recieved an email from you and then uses somewhat similar IP address to log into your account.

    ReplyDelete
  18. I definitely appreciate the idea behind this. But since morning I have been trying to figure why my most recent access is some place in new york in "2009". I agree if there has been something like that in the past few weeks it makes sense to report it to the user. But a timing like that made me wonder if system time is off on any computer i use. And only at the other end of a long malware search do I read this article and presume the code looks through more than two years of ip address logs??

    ReplyDelete
  19. Interesting that this post was made this weekend - as my wife's account has been hijacked by hackers. They have changed her password and security question multiple times, and she is currently locked out, while the hackers have free reign. We have tried to contact Google security, but received a message that the security mailbox (security@google.com) is over quota. Is there some other route we can use to contact the Google security team?

    ReplyDelete
  20. I have gotten a few emails from the Gmail team that state my account will be shutdown unless I provide my full name, Password, Phone # and Country. It is strangely worded and I am suspicious. Is this for real--is there anyone I can contact at gmail to verify authenticity?

    ReplyDelete
  21. I (and my family just received the following email from my gmail account (which has been hacked in this manner)... How can I get my account locked quickly? (the hacker changed the password)

    ffthack@gmail.com --- email follows---

    I'm sorry for this odd request because it might get to you too urgent but it's just the situation of things right now, we are presently stuck in Scotland, we came down here on vacation. we were robbed, worse of it is that bags, cash and credit cards was stolen at GUN POINT, it's such a crazy experience for us and we need help with flying back home, the authorities are not being 100% supportive but the good thing is we still have our passports but don't have enough money to get on a plane back home, please we need you to loan us some money till we are back home to refund it back.

    Thanks,
    Ian.

    ReplyDelete
  22. This same thing happened to a friend of mine, but what happened to me while she was having this problem, I had I got a weird highlighted warning message flashing above my email's area where I view all my messages. It wanted my user word and password , to see if it was correct. Since I have never seen anything like that before I ignored it thinking it was not referring to me and that maybe someone highjacked my account as well. Lisa Seward

    ReplyDelete
  23. I appreciate the improved information on account activity, but would much like to understand how it can be that I repeatedly find the message 'this session may be open in another location' (sorry have forgotten exact text) given that I ALWAYS and INVARIABLY log out, and have my browser set to store no passwords and to delete all information upon exit. Is someone hacking my email from my own PC? If so, how? I have it firewalled, silent (effectively invisible on the internet), clean and free for viruses, have never found trojans on it, am the only one using it, and have a password for it. I even lock down the firewall at night. Note it happens more often to 1 account that I access at work, and so which may be subject to password theft via keyloggers. But, it happens too to my very private account that I never open except here at home. Many thanks in advance for input on this, how it can happen and what to do. E

    ReplyDelete
  24. My email address was also compromised by a scammer (probably the same) who sent out email to all my contacts asking for money for being stuck in London. The problem is the scammer also changed my password and secondary email address so I cannot access my account.

    I have already filled out the account compromised form but nothing happened. I also have email forwarding and sending set-up from my other account so I have definite proof that I own the account. Please help!

    ReplyDelete
  25. Please make a possibility to block access from china to someone's gmail account at all!!!
    My account was hacked yesterday. I don't know HOW!

    ReplyDelete
  26. I see that one can turn off alerts after waiting a week, which gives a valid user a week-long chance to log in and notice before a bad guy can avoid alerts. That's good. Let's say, however, that I am a frequent traveler between 2 different countries. Would I expect to get an alert each time I fly because I check email in country A and then a few hours later in country B? Or does the automated system learn from the recorded activity what is normal for me? What about having a more flexible alert configuration, where I can say "turn off alerts for countries A and B only" rather than turning off all alerts? That could be an option next to each activity record.

    ReplyDelete
  27. hi. i just received a likewise email from my friend who. her gmail account was hacked and now she cant sign in to change her password. the scammer/hacker also hacked her yahoo account. but she is able to retrieve the account, and found out a new email backup on her account she believes is the hacker: dannypoljak@gmail.com. where can i report this misuser?

    ReplyDelete
  28. It would be great (especially for those of us accessing GMail through IMAP) to have these security warnings available through a private RSS feed.

    ReplyDelete
  29. Is this alert already working? I tried to access my mailbox directly and through a proxy to change my IP source's country and I didn't receive any alert.

    ReplyDelete
  30. Is the suspicious behaviour is tagged for 'all' types of access (IMAP, ActiveSync, MAPI, GTalk etc) or just for Gmail Web UI.

    ReplyDelete
  31. I need help everyone. My email and paypal account just got compromised last 14th of April. I made a transaction the fraud who compromised my email, paypal account and bank account. I don't know how he did it but he did! He made unauthorized transactions and transferred all my funds to his own paypal account before closing my account. PayPal made an investigation about the case and made a conclusion that there was no third party access to my account and closed the investigation. It was really upsetting! It left me nothing but hoping to prove that it was totally the fraud who closed my account since he got access to my email, my paypal and knows my bank account through our first transaction. Since paypal wasn't able to see see any third party access, if I could just prove that the IP address that accessed my email also accessed my paypal account, it could prove that it wasn't me who made the transactions and closed my account. Can anyone suggest how I could do this?

    ReplyDelete
  32. This alert is working and have provided me the valuable information about the recent account compromise. Unfortunately the damage was already done (not much, but unpleasant). At the same time this incident have shown me how sensitive indeed the information stored in my Gmail acc is. I have thought a bit how I would like to improve security (including taking my info back to PC - discarded as not secure). Here are some suggestions:

    1. Provide a gadget or an iPhone app to generate a temporary secure number in addition to the password (just like Blizzard provides for its BattleNet users - very, very convenient and unbreakable - take a look, it's nice). I WOULD GLADLY PAY FOR SUCH A FEATURE.

    2. My account was compromised from a South Korean IP. Why don't provide an option to restrict the access geographically? It's not a 100% solution, but still an improvement.

    3. I would like to press a button near this South Korean IP address: "yes, this is a bad intrusion, not a false positive". The lists of these IPs addresses can be later shared with law enforcement.

    Thank you.

    ReplyDelete
  33. My account has just been conpromised. As the hacker logged in to chat, I see it as I was using another account. So I logged in before the password is changed. I get lucky and I can get in and change the password. The strange thing is his/her IP is not even in the list of recent activity!. I wonder how he/she manange to do that. Is there a setting that allow users to do that? So please help me.

    ReplyDelete
  34. Just put a notification on front page saying last login date and time. So We will know whether someone else uses my account or not!
    What do you think?

    ReplyDelete
  35. Hello....yesterday my account was compromised as well. The same e-mail has been sent to all of my friends and family, some of whom have corresponded and had conversations with the impersonators. They have also deleted my facebook account. I have lost vital work-related material that was on the account. I am very upset that Gmail has no interest in helping me. I don't know what to do. I may lose my job because of this. I have filed a complaint with the indicated ic3.gov form for white collar crime but have heard nothing. I have also called Google and was told they couldnt help me. I have filled out the account impersonation form for Gmail and that was fruitless. The hacker has also changed the alternate email address and have locked me out completely, preventing me from changing my password. Does anyone have the solution? All that essentially needs to be done is to verify the user and then simply deactivate the damn account. What is the big deal? Thanks for nothing Gmail. I will be letting everyone I know and current friends and family who use Gmail that they should go to another server and start a new email address and cancel their Gmails because this could happen to anyone and Gmail will do nothing to help.

    ReplyDelete
  36. Are OAuth logins whitelisted? It would defeat the purpose of OAuth login support when suddenly all the users of our service would get a warning that their "account has be compromised" when our servers try to access their accounts.

    ReplyDelete
  37. Can get more detail of account activity rather than IP address ?
    what i mean is if someone check from a public access center like a cyber cafe of an ISP ? now is we can only know the public ip address of the ISP.. can not know more than that..

    ReplyDelete
  38. tzm, great idea! I'd also like in case of suspicious activity to have an undo option on whatever happened whilst hacked connection.

    ReplyDelete
  39. I'm not sure if what I received via a Google warning alert is the same thing mentioned here as the Google warning alert I received couldn't have been related to my email account do to the fact I received it the instant I logged
    onto my brand new computer for the first time.
    I'm curious if any one else has had a similar experience? The warning gave in depth details to
    include the mobile phone number blocking me and redirecting all my Internet traffic and access. It gave me a detailed account
    of the location i.e the hotel in the San Francisco area and even stated the person was located in the cafe within that Hotel.The alert also listed a lot of personal info about me as well as the hacker. Has anyone else experienced this type of Google alert? It was such a blessing when I received this alert as I had been blocked from accessing the Internet for at least 8 months. I knew it was my then estranged husband and upon Google sending me the warning alert providing me all the proof I needed against my now ex-husband. I took a snap shot of the warning alert and have made several copies buried with in numerous Cd's. I bring this up because My husband is a wolf in sheep's clothing within his Profession as an I.T & information security Consultant/Pro and very good at what he does. He has the power to turn a persons life upside down if he feels they are a threat. I had never heard about the Google e-mail alerts until now.

    all comments appreciated.
    thejusticetrain
    a.k.a
    roxyunscripted

    ReplyDelete
  40. As far as i know , last account activity can't help much..
    if someone use our mail from cyber cafes...those cafe ip are behind the firewall ip address of internet service provider..
    last account activity can not pass the fire wall ip of the ISP
    ..so can't get exact location

    ReplyDelete
  41. Where do we send reports of unauthorized access to?

    ReplyDelete
  42. I have to say... I am a bit mad that I have been locked out of my account due to "suspicious activity" and since my phone does not allow texts I had to fill out a form that requires 24 hours of investigation. I need to use my e-mail now, but I'm stuck with this problem.

    I just used my e-mail yesterday night and I checked it today and didn't even let me sign in, it just locked me out saying that due to suspicious activity on the account I need proof some of the info I don't even remember because it was so long ago.

    I used my brothers account to post this

    ReplyDelete
  43. This IP address is hacking gmail accounts and sending spam out to all the contacts in the account

    Browser Italy (115.52.226.160) Nov 8 (1 day ago)

    You should BLOCK them from ever accessing google. Or find a way to prevent this.

    ReplyDelete
  44. aashna,

    Thank you for your report. We have sent it to the appropriate teams for investigation.

    Google Security Team

    ReplyDelete
  45. Hi,

    My brother had this incident where a malicious person hacked his gmail account and deleted e-mails.

    We actually know who is this person (he did this from his home connection, the IP address matches emails he has sent us) and we pressed charges but the Police told us that we should try and contact Google to make sure the Access logs for the gmail account are not deleted... Police investigations in Portugal take forever and I have screenshots of the "Activity on this account" screen showing the entries that correspond to the ilegal activity but those aren't valid in court.

    who should I contact about making sure that those access logs don't get deleted? so when the Police makes the official request for them they are still there.

    Cheers,
    Francisco

    ReplyDelete
  46. Francisco, Law Enforcement should request preservation. They can contact their regional Legal Attache office for guidance.

    Jay, Google Communications

    ReplyDelete
  47. My google account activity continues to say that my IP address is from United States, NY (where I was last year) even though I am now in South Korea? The account activity and my use of gmail match up fine (ie it logs perfectly when I've used gmail 2 minutes, 1 hour ago etc), but for some reason the IP location for al this activity keeps saying New York? Is there something wrong with my computer?

    ReplyDelete
  48. On the recent activity window the hacked ip address is red marked ,if the google automatically tell these users r hack ur mail or its our duty to check anybody will hack our page r not ....................

    pls on help how to view all the recent activity address for a month r a year............

    is the red marked only the hacker r any thing not been marked?

    ReplyDelete
  49. Is there a way that we can put accessing filter at country level/ state level accessing of the account?.

    ReplyDelete
  50. Can you please let me know how to leave this feature on, so that it shows the last ip address every time I log in.

    Thank You.

    ReplyDelete
  51. I've had two such warnings but haven't ever found evidence of any use of my account by the hacker. Did they actually get access to the account or did you ask them security questions and so not let them in?

    ReplyDelete
  52. How can I TURN OFF!!! this highly anoying and dangerous "feature". I travel frequently and DO NOT WANT or need my wherabouts to be emailed, in an unsecure message. This is so disturbing so i have to avoid using my Google-enabled devices in some countries I travel to.
    This is a feature that should have a full "disable" mode but I have not found any way to turn it off!

    ReplyDelete
  53. I live in Philadelphia, someone signing in from Washington dc ....can't I stop them. changing password constantly...google help, obviously not me two states one day

    ReplyDelete
  54. Someone logging in from a different state can't stop them other than constantly changing password....two step verification not helping too much

    ReplyDelete
  55. I am in a loop due to changing my password last night via Lastpass (which normally saves the new generated one properly, but didn't for some reason). so I tried again a couple times. I do remember a recent password, but not the most recent. Very frustrating to be in a loop locked out for "suspicious activity" on my own account due to some malefunction -and even my second factor is not working.

    ReplyDelete
  56. I have the statement my account is open in another location. When I click on details, it does not show a valid IP address but it shows * United States (OH) (2602:306:cd59:e140:8c17:7d5b:828:4de8) I have changed my Password, and it came right back. Is this something I should be worried about?

    ReplyDelete
  57. My Gmail was hacked this morning - and I have not receiven any emails regarding unusual activity. I would like to know if you can help me restore the mails ... Contacts are in place and all settings have been reset to MY settings. Please contact me on akorsholm. Thank you!

    ReplyDelete

You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.