I think someone I know has hacked into my gmail account. what should i do?valeria
This is a relatively common question. other recent examples include “someone is using my gmail account to steal my data in a game. how do i get rid of it? from rodimus ghost, and “my daughter is using my gmail account. how do i stop it? I don’t recall receiving these inquiries about other email services.
my usual response is: “how do you know?”
There may be emails in your sent folder that you didn’t write, though hackers can cover their tracks by deleting copies of sent emails. however, incoming emails are not an indicator. i have received emails from instagram, gocompare, barclaycard business, apple, prattville and mca and many other organizations where people have entered my gmail address, probably by mistake. it does not mean that they have accessed my account.
The best way to tell if someone else has used our account is to scroll down your gmail inbox and look for “last account activity” in the bottom right. Clicking on the details produces a nice table showing how someone accessed the account (browser, mobile, pop3, etc.), their ip address, and the date and time. you must acknowledge any session that is not yours.
In fact, gmail will notify you by default of any unusual activity. you can receive an alert if you sign in with a new device or from a different country. these alerts can be annoying but they increase your security. don’t turn them off.
You can also check the recently used devices page, which lists all the computers, phones, and tablets used in the last 28 days. again, it should be obvious if any of them are not yours.
double check settings
There are easy ways to read someone else’s emails without leaving obvious traces. these are controlled from the gmail settings, which you can find by clicking the cogwheel in the top right.
On the settings page, click on accounts and import and go to the penultimate entry: “grant access to your account”. someone could click “add an email account”, enter another gmail address and access their emails from that account. they can keep these emails marked as unread even if they have read them.
then click forwarding and pop/imap and review the section above on mail forwarding.
Email services allow users to forward all incoming email to another email address, and I think everyone should do this. I have gmail forward all my emails to my account at microsoft outlook.com. As a result, I can still read and reply to emails even if gmail is not accessible. also, if gmail were to block me, i would still have copies of emails from april 2004.
then if you can access someone’s mailbox, you can set up mail forwarding to an address you control, and they’ll probably never notice. make sure no one has done that to you.
If you only read gmail in a web browser, you can also disable the pop and imap access features. this would provide a small increase in security, but I don’t recommend it. In fact, there are advantages to using a PC email program like Microsoft Outlook, Thunderbird, or EM Client to collect Gmail using the IMAP protocol. These programs have more features than the web version of Gmail and store emails on your computer so you can easily access them offline. imap leaves the original emails online, so you can still access them using different devices. (yes, you can also install “gmail offline” through the offline tab).
remember to save your changes before switching tabs.
security password
once you’re sure your mailbox isn’t being hacked, change your password to keep other people out.
in gmail, go back to accounts and import and click “change password”.
Choose a strong password or passphrase that includes numbers and uppercase characters. gmail requires at least eight characters, but aim for 12 or 16 or even more. more time is better. It won’t be random unless you use a password manager, but avoid family names, pet names, birthdays, sports teams, and other obvious items.
For your convenience, your browser or email program may remember your password. If you allow it, your email will be as secure as your PC. anyone who can access your pc can access your email.
These days, of course, the easiest way to hack someone’s email is to use a phishing attack. In this case, someone sends you a link in an email that purports to come from Google. clicking the link opens a browser tab where “google” asks you to log in with your email address and password. the attacker reaps the results.
If you’re going to leave your computer unattended or fall for a phishing attack, it doesn’t matter how strong your password is.
do both steps
If someone can access your gmail account, they can change your password and lock you out. you can avoid this by using “two-step verification”. With Gmail, this usually means that Google will text a code to your mobile phone. this is fine until you have no signal or lose your phone. therefore, gmail asks for a backup phone number. (landlines work: you get a voice message). gmail also allows you to print a small set of verification numbers that you can use when you travel.
Google provides an alternative to SMS in the form of Google Authenticator, a free app for Google Android devices and Apple iPhones and iPads.
You can also slightly simplify 2-Step Verification by using “app-specific passwords”. For example, if you access Gmail through a smartphone app or email client that can’t handle two-step verification, you can require a separate password for each email program on each device. it only has to be entered once.
To use these additional security features in gmail, go to accounts and import, click on “other google account settings” and then on “sign in & security”. this provides access to password changes, two-step verification, and account recovery options.
account recovery
what if your password stops working and you can’t access gmail? the traditional approach to account recovery is to request certain personal information, such as your mother’s maiden name. this allowed people to hack into email accounts using information obtained from social media accounts. you can get around this by using random letters or something darkly incorrect, “mother’s maiden name: quetzalcoatl”, but then you have to remember the answers.
Google recovery options include a phone number, another email address, and a security question. he also likes to ask when the account was opened and when he last used it.
You may be able to find out when you created your gmail account by looking for (in my case) before: 2004/04/15, or any date in order yyyy/mm/dd. that won’t work if you deleted your welcome message, but vary the date to find the oldest message you can.
account recovery is the only way to recover your gmail account if you forget your password or if a hacker changes it. but it doesn’t always work, and you may be told “you weren’t signed in because google couldn’t confirm that xxxxxxxx@gmail.com belongs to you”.
so, as another reader, paul, discovered earlier this year, you end up in a “failed online recovery loop”. no contact center no online chat. no contact details at all.” It seems like there’s nothing you can do except open a new account, change all your online passwords and email addresses, and hope nothing bad happens.
Do you have any questions? email it to ask.jack@theguardian.com