back to article Mysterious Gmail account lockouts prompt hack fears

A substantial number of Gmail users have been affected by a potential but unconfirmed hack of unknown origin or purpose. El Reg learnt of the issue following a tip from a self-described "very security conscious" IT professional who got locked out of his Gmail account. This happened after one of his security phone numbers was …

  1. Battsman

    Happened to me.

    The request to re-authenticate happened to me last night. I actually rebooted my phone twice trying to determine if it was legitimately play services asking for me to re-authenticate. As best I can tell it was a "legitimate" request by Google Play services, but it has never happened before and definitely left me scratching my head...

    Any follow ups/updates by El Reg are appreciated!

    1. d3rrial

      Re: Happened to me.

      Huh... Yeah, I was prompted to re-authenticate as well... But I'm still logged into my Google account.

      Any actual reason to worry?

    2. Adam McCormack

      Re: Happened to me.

      Same here, although after a reboot I've not been prompted again

    3. Warm Braw

      Re: Happened to me.

      Me too, with Google Apps for Business. Despite successfully logging on successfully via the web interface a reboot of the phone wasn't enough to get me back in there - had to resubmit login credentials (which I was postponing until the issue had been acknowledged).

    4. katrinab Silver badge

      Re: Happened to me.

      Same here, on one of my accounts.

    5. Paul Crawford Silver badge

      Re: Happened to me.

      Same here this morning, and this if for my phone and I practically NEVER use that gmail account for anything else. Certainly not in the last few months.

      Just wondering - are they migrating password hash algorithms and this is a route from SAH-1 to SAH-256 or similar?

    6. Doctor_Wibble
      Black Helicopters

      Periodic Timeout? Re: Happened to me.

      I've had to re-log-in a fair few times on my mobile - I had thought it was due to me logging in to gmail on the PC without closing the app on the phone (yes, old habits die hard), or because it had magically turned itself off* and at other times I thought it was due to my insistence on disabling lots of services and overdoing it.

      First time got a WTF and clear-all and confirmation of what was demanding the re-log-in, now the WTF is just FFS instead. But lots of other people at the same time? Definitely something hinky going on, the usual cause is the government installing another black box somewhere.

      * by cleverly using up the battery by doing Unknown Things and switching H/H+ every few seconds because that's really important while the phone is just sitting there, seems to depend on what had been running, even if all cached apps are cleared, obviously my mind was harder to control at those times...

    7. S4qFBxkFFg

      Re: Happened to me.

      Same here, but only with one of my accounts.

    8. TRT

      Re: Happened to me.

      Me too on all my Apple and Pc devices. That's lots. Thought it was associated with my work Mac crashing but evidently not.

  2. Ramlen

    Same here and on 2 of my devices at exactly the same time.

  3. Semtex451
    Coat

    "A substantial number of Gmail users"

    How are we quantifying a number of substance in these times of post-truth pre modern Brexit wotnot?

    1. Mark 85

      Re: "A substantial number of Gmail users"

      Since Google is in the States, that has to be "pre/post truth, alternate facts, fake news".

  4. Danny 14

    2 google accounts 2 devices. One asked for reauthentication the other not.

    1. Anonymous Coward
      Anonymous Coward

      Dammit, people! Now I have to check mine... same here, but both mine worked fine. 2 accounts, neither ask for new auth on the iDevice, will check from the S4 later. It stays home and only does Kodi now.

      "While we've been waiting for a response, we've canvassed security folks through Twitter, two of whom have said they've been been asked to reauthenticate themselves and log back into their Google accounts."

      Sod that! What's kind of bread products are in the break room?! It's Friday. There should be some kind of donut, doughnut, danish, great Dane, scones, bagels, toast, crumpets, tea cakes, regular cakes, muffins, biscuits the hard ones, cronuts, bagumpets, biscuits but different ones more like soft cookie-cakes, and a cheese bramble. And wash it all down with lashings of piping hot screwdriver!

      You know that your G-account should tattle-tale any bad logins too, in case that was the cause of the reauth. It's a mystery.

    2. NotWorkAdmin

      Same here....

      I have four Google accounts (I know, I know...) one of which has two-factor authentication enabled. The other 3 are more "throw away" and don't have that enabled. The three without two-factor authentication were the ones asked to re-sign in.

      1. Eddy Ito

        Re: Same here....

        Yep, got locked out on one account with a "command not recognized" error on Thunderbird logging in via imap with Oauth2.0. An older computer that I hadn't used in a year or so and hadn't set Oauth wasn't allowed to log in to that account as well. I got imap mail back about 9 am (PST) Friday morning but still can't get in with a browser or other devices since it won't recognize responses to security questions and the recovery email address is long gone and I'd forgotten to update it. I guess I'll be transitioning off that account to a new one.

  5. Anonymous Coward
    Anonymous Coward

    Weird.

    Same here, noticed it on chrome browser (sync error, please sign in) and a nexus7, but not on nexus5x or other android tablet.

    Cleared the browser sync by logging back in (2-factor with mobile) but nexus7 would not have it, stuck for an hour. Also, chrome browser could not reach gmail server for 30 minutes, but the android phone could.

    No notification on google security status, no other log-ins, five different google accounts but only one affected, very weird.

    Changing security details tonight.

    1. Mephistro

      Re: Weird.

      It'd be interesting to know which versions of Android are affected. My Android 5.0 mobe hasn't had any issues.

      1. PatientOne

        Re: Weird.

        Latest version of Andriod here - but had just been notified that GoogleMail app had updated so, having checked it was legit, I logged back in and it was all fine, believing it was just down to the app updating.

        It was a little worrying, though - but Google seem to take security seriously and I normally get separate notifications if there are any changes to the account (the message simply said that due to a change, I'd been logged out for security reasons and needed to log back in).

  6. Crazy Operations Guy

    Happened on my edu account

    woke up this morning to find my email address through my school required re-authentication. They had just migrated over to Google for hosting email.

    Although looking at what happened, I think its that their infrastructure fell over and lost a large number of authentication data, so devices would have to re-create tokens.

  7. DogMan

    Also happened to me

    Happened on my phone 2 days ago. Logged in, seemed fine. Then I saw this article and logged in on my home PC. Immediately got an alert on my phone that a new device had logged into my account. I checked my device list and found only my phone and home PC, which is a couple devices short of the normal list.

    Looks like they lost the list of devices that I have used to access my account.

  8. creepy gecko

    Checked in to my Gmail account on laptop (thru VPN) - used two-factor authentication and accessed as normal. Also accessed emails via Thunderbird (thru VPN), and no problems.

    Looking at some of the Gmail forum threads it seems there may be some link to Apple accounts....but it's all very vague, and Google don't seem to be helping out with facts at the moment.

    1. katrinab Silver badge

      The one I had to reauthenticate is linked to an Android phone. The one I didn't is used on iDevices.

  9. beep54

    Happened in spectacular fashion to me.My computer died. Had to do a restore. Also a mouse was fried long with a new 2 TB drive.When I try to restore my account Google eventually tells me it does' not exist.

  10. TrevorH

    There was some discussion about this possibly being related to Cloudbleed too but comment 24 in https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 says definitely not.

  11. Anonymous Coward
    Anonymous Coward

    I can't log in at all !

    .. but I am pretty sure of the cause.

    I don't actually have a Google account.

  12. Anonymous Coward
    Anonymous Coward

    Me too.

    I got re-authorisation requests for both of the Google accounts that I have connected to my Nexus 5 yesterday.

    I did find it strange as I hadn't changed anything and also hadn't seen any of the usual 'was that you?' alerts that turn up every time I access either of the accounts from an IP address that isn't associated with me by Google.

    It sounds more like an inadvertent thing rather than anything suspicious. After all, the powers that be can already read everything that we do on Google and a global hack of Google accounts by other actors would seem unlikely.

  13. Baldy50

    Me Too...

    No spam or phishing shit and also happened yonks ago a couple of times, so IMO not new, sick of doing it on multiple accounts BTW, IDK.

  14. Last-Good-Gnome

    Request to log back in on phone only - Pixel XL

    I was logged in on 3 devices and receive a re-authorization request on my phone only. Updated PW immediately and checked for suspicious outbound emails, none found.

  15. Anonymous Coward
    Anonymous Coward

    Yup

    here as well 2 days ago... 2 accounts, 2 phone, 2 laptops.... don't have Apple.... so guessing that's not it.......

  16. inmypjs Silver badge

    "very security conscious"

    "IT professional who got locked out of his Gmail account"

    "very security conscious" and using a gmail account?

    Pull the other one.

    1. luminous

      Re: "very security conscious"

      Was thinking along the same lines but giving him the benefit of the doubt. Surely that is not his primary email account.

      You can't use Google Webmaster Tools and some of their other services without a Google account. So we are pretty much forced to have a Gmail account. Putting anything else into it of importance is lazy, but there is no real choice in the matter if you use their services for yourself or on behalf of your clients.

    2. Planty Bronze badge
      FAIL

      Re: "very security conscious"

      Google had already mentioned authentication outages on the service blog.

      Given the only affect from all the "hacks" (LOL, what a tool), is lot of people being signed out, isn't it far more likely this is just the previously mentioned auth outages.

    3. Anonymous Coward
      Anonymous Coward

      Re: "very security conscious"

      "very security conscious" and using a gmail account?

      What's wrong with that? Google have a pretty spectacular security record (in the good sense), and are undoubtedly doing a better job than pretty much everyone else out there.

      If you can't see this, then you are frankly an idiot.

      1. Kiwi

        Re: "very security conscious"

        "very security conscious" and using a gmail account?

        What's wrong with that? Google have a pretty spectacular security record (in the good sense), and are undoubtedly doing a better job than pretty much everyone else out there.

        Have you looked at their "privacy" policy or their T&C's? You might find that google claim a lot of rights to the data you put on their servers, and deny you all.

        Was going to use G+ along with FB et al for a business venture. Reading the T&C however, you give them rights to use any data you put on their for their purposes including selling and making derivative works, and that is a perpetual license to. FB are actually the decent ones here, they only claim the rights to publish any data you make public.

        I do use gmail and I haven't read their T&C recently, but seeing what they do with G+ you'd be a fool to use it for business stuff - you give them ownership of your logo and any other data you place on there.

        1. Anonymous Coward
          Anonymous Coward

          Re: "very security conscious"

          I think you just made that horseshit up.

          https://www.google.com/policies/privacy/

          The word derivative isn't there.... So please tell us exactly where you came to this conclusion.

        2. Anonymous Coward
          Anonymous Coward

          Re: "very security conscious"

          " FB are actually the decent ones here"

          Are you really sure FB and decent should be used together like this? Or ever?

          You might find they hid the bit where you agree to them owning all your data and can use it as they please?

          I also doubt Google can claim ownership over your business logo, especially as such logos are often registered trade marks and transfer of ownership tends to involve lawyers and fees...

  17. Tommoxyz

    Same with me.

  18. Feldspa

    G talk about it here

    https://support.google.com/wifi/answer/7335595

    glitch in account auth engine

    1. Anonymous Coward
      Anonymous Coward

      Curious, I'm sure this article was related to GMail, not G-WIFI!

  19. AndrueC Silver badge

    's kinda weird.

    GMail ain't my primary mail account (I run my own mail server) but it's useful to have it linked to my phone. This morning I got a notification on the phone saying 'something has changed you have to sign in'. So I signed in..and that was that.

    No explanation of what had changed and no further comment from GMail.

    This article prompted to check using my laptop and it got straight on using it's login cookie so..um?

    Good job I don't use it for anything important :-/

  20. Anonymous Coward
    Anonymous Coward

    And these are the guys

    that want their code to drive your car for you.

    1. Anonymous Coward
      Anonymous Coward

      Re: And these are the guys

      No problem, just walk the 20 miles back home and get the OTHER phone you added to the account and authenticate your credentials on that, then simply walk back to the car and it should be unlocked for you.

  21. Anonymous Coward
    Anonymous Coward

    Happened about 2 weeks ago on my Android phone. No problems on my IPAD...

    There's no way I'm going to "re authenticate". When I get the chance, I'm going to wipe the phone and go from there.

    I don't trust the security in Android.

    I think it happened after an OS update pushed from my ISP, but I'm not typing in any passwords to be safe. I bet this all will get tracked back to the ISPs.

    I only use the Android as a phone and as a backup way to get emails, so no important data, no rush.

  22. Alpc

    Thought this was odd. Happened to me too. Tried to change password via mobile but Google didn't like it. Managed to change it via desktop. Then logged in with new PW on mobile and Google message went away.

    Maybe it has something to do with a recent Android update?

    1. John Brown (no body) Silver badge

      "Maybe it has something to do with a recent Android update?"

      I wish! I can't remember when my phone provider last pushed an update out, despite there being updates created by Google.

      1. Alpc

        Not a system update but Android Google app / services updates. I got a recent BlackBerry security update but it caused no problems. Android Messenger was updated, again, today. I don't use it.

  23. Alpc

    Happened Again¡

    Have just got another message thus evening on my Android mobile telling me my password needs updating. Weird, as have just done it via laptop.

    I also got a mail from the big G telling me about, my, password update!

    What's up?

  24. ecofeco Silver badge

    Something strange is going on

    While not locked out, I've had some strange things happening as well.

    1. Anonymous Coward
      Anonymous Coward

      Re: Something strange is going on

      Trump...?

  25. Almost Me
    Big Brother

    But did it ask you to agree to the Terms of Service?

    It just happened to my wife: I just assumed it was a not-so-subtle method of forcing everyone to agree to their latest Terms of Service... probably the new clauses about introducing droit de seigneur and rights to the mortal soul of your first-born...

  26. ZenCoder

    What's wrong with gmail and security?

    I understand why many might have serious PRIVACY concerns about gmail, but what exactly are the security concerns?

  27. Sgt_Oddball

    I was wondering about that

    Had to dig out my email password since add with others I use it for accessing Google services and occasionally testing sending emails to a Google account.

    All pc based sign insurance worked just done but had to redo the phone. I could be that the phone level cookies got expired on masse and that's what caused it but I'm not holding my breath for a quick (if at all) explanation from Google.

  28. Alpc

    Facebook strangeness too

    No idea if it's connected but have read Facebook has been giving some users the impression their accounts might have been hacked.

    Apparently, Cloudflare has been leaking info. Connections? Don't know. All rather weirdy McStrange.

  29. littledig

    this is absolutely a hack!

    This happened to me months ago. Judging from google's response when I advised them of the issue, I was one of the first to report it. At least that's the impression they gave me. But please everyone, do not write this off as a bug or something else. Since my google accounts were hacked the following things have happened. My credit card was hacked, someone tried to log in to my iTunes account and my identity has been stolen and used in the UK. It took a while for these things to happen - around 3 months after I first started getting kicked out of my account. Don't listen to what google are telling you! They are not being honest with you.

  30. paddy carroll 1

    Same here, on iPhone which was also 2 factor token via google app which initiated a ridiculous loop as the google app also tried to sign in...

  31. Skip

    Not just on Android

    The same thing happened to me with on Thursday with the gSyncit plugin for Outlook - it de-authorised the plugin, and now it just hangs when trying to authorise again. The Gmail account has 2FA enabled, and I also had to re-authorise on my phone (Android).

  32. BrynGerard

    Me too :(

    For the record, I also experienced this on two accounts on two android devices (Friday evening). Interestingly, a laptop left turned on was still logged in and functioned fine. I couldn't however change the passwords for the accounts as google claimed the original password I typed was incorrect. Answering a few security questions got me a authorisation code which I used to log in and change my passwords. I haven't re-enabled access on the Android devices yet and won't until I get some news about what caused it.

    Interestingly I had only hours earlier, made comments on FB regarding the extent of the capabilities of GCHQ for interception and attacks. I thought for a moment I was being 'slapped' by them :) for daring to comment about them. Not that my boring emails or SM posts would reveal much to them or are of any security concern, at least I don't think so ;)

  33. G2

    me too

    same here... but my phone OS was Android 7.1.1 freshly compiled and published on February 23/24th by LineageOS.org...

    maybe it's related to the upcoming March 2017 Android patch.... i noticed that a ton of Google apps have been updated at the beginning of this week, just before the re-authentication / reset happened.

  34. Anonymous Coward
    Anonymous Coward

    Multiple 2FA accounts affected here...

    I've had requests to sign back in to two different Google accounts, one a Gmail email address, the other a private email address. Both accounts needed to be signed back into on two PC's (Windows 10) and an Android (Cyanogen) mobile.

    Both accounts have had 2FA enabled for 18 months+ and both use 14 or so char random passwords (managed by password management app).

    Very strange...

  35. Anonymous Coward
    Anonymous Coward

    Google stating problems occurred as a result of "routine maintenance"

    'During routine maintenance [from 1pm to midnight PST yesterday], a number of users were signed-out from their Google accounts. This may have resulted in you being signed out of your account or seeing a notification about “A change in your Google account” or “Account Action Required.”

    We hear your concerns that this appeared to potentially be phishing or another type of security issue. We can assure you that the security of your account was never in danger as a result of this issue.'

    https://productforums.google.com/forum/#!category-topic/gmail/Kfsx8YjqAS4

    So, cock-up rather than conspiracy?

    1. Adam 1

      Re: Google stating problems occurred as a result of "routine maintenance"

      It really did look like some sort of phishing attack. And certainly Google have now through lack of foresight opened up their user base to fall for the next one. They should have had a website explaining exactly why you needed to reauthenticate. Not a mystery popup!

  36. Anonymous Coward
    Anonymous Coward

    wife's ipad was locked out

    for some reason my wife's ipad this morning had claimed it locked out due to apple icloud passwd has been tampered with and had to reset her account

    damn Russians

  37. fredesmite
    Joke

    Was the hack as big as Yahoo?

    Yahoo had millions of millions accounts hacked ...so how bad is it?

    No record of paper tape punch machines being hacked in the past decades!

  38. rmstock

    a mobile phone issue ?

    I explicitly have no email on my mobile phone ...I do have several public email accounts, i.e. yahoo, gmail etc. which store your private emails on their servers. The problem with gmail so far has not occurred on my computer using Thunderbird with imap.gmail.com and SSL/TLS.

    That could mean that the email client on your mobile phone has been compromised inside Android / iOS , or as the hack involves ponying up a new telephone number, that a couple of mobile telecoms providers are invaded on their side with malicious hacks.

  39. DaddyHoggy

    Glad I read this article! On Saturday I found I couldn't access my Gmail on my mobile without logging back in and then later, noticed, on my laptop, that my Google Drive Sync was off, because, it turned out, I had to sign back in there too. Then Google sent me an email to my secondary email account telling me I'd logged in from a new machine (yes, I had just logged in, but no, it's not a new machine).

    I didn't think anything of it, until my eldest daughter complained on Sunday that she hadn't been able to access her Gmail. I got her to reboot her phone and it too asked her to login to Gmail and then sent me an email (I'm her backup email account) saying she'd logged in from a new device...

    Very odd and I'm not sure I like the fact that Google sit between saying nothing's going on, or they don't think anything is going on.

  40. Bitbeisser
    WTF?

    Get this only on one out of 7 accounts...

    and then only on my (Android) cell phone, all my PCs (Macs) that have the same account set up in Thunderbird work just fine...

  41. Slabfondler

    Fine here...

    One account, 4 devices, 3 operating systems, MFA enabled - no issues.

  42. Anonymous Coward
    Joke

    Not fair!

    Mine are OK. I feel left out.

  43. khentiamentiu

    Ominous message

    My experience was a bit more ominous. than the Reg article describes. I got a messge saying "Something is wrong. Please log in again." Suspecting phishing, I did the extreme thing: logged out of gmail, shut down my computer, booted a different OS, and went to my gmail account, where I was asked to provide my password. I did that, and haven't seen the problem since, but I really hate ominous messages popping up when I'm in gmail.

  44. Nickckk

    Anyone not had this?

    Happened to all 3 of the family. Is there anyone out there who hasn't been required to sign in again?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon