My GMail password was stolen earlier today.

Spent a bit of time trying to discern what happened, very little evidence. A couple of key points to note though about it which point me into a likely direction (and one program I won't ever be using again).



Any "risky" software I've run lately (very little) I submitted executables to some online virus-scanners that check for virii/trojans using 30 or more different security programs and any suspects I could come up with came up clean.



Here's the evidence:

1) My ICQ account got bumped first. I relogged, and a few minutes later got told I was logged in from another location. I ignored this *because* ICQ is now merged with AOL, and AIM has always had "ghost" problems if you change IPs, where it thinks your old IP is still logged in and sends you errors that you're logged into multiple locations. Since ICQ=AOL on the backend now, I figured that was the issue, since I'd been plugging/unplugging my modem just a few minutes earlier. More on this.



2) About an hour later, I lost connection to my Google Talk connection. I went to firefox and loaded the homepage, iGoogle was still loading, but when I tried to go to GMail, I got an invalid password error! Ruh Roh!



3) I post the first message here, and i start changing passwords.



4) I got a call from a friend a few minutes later with the Russian extortion "money for gmail" bit.



5) I check the ICQ account. Can no longer login at all - this password has now been changed. So I know both were hacked on the same day, obviously the same exploit.



6) I visit my Yahoo account and change the password. I don't know if it had been accessed at that point. I used the On-Screen Keyboard for the new password just in case there's a keylogger on my PC.



7) I checked eBay and PayPal..... still have access to these. Okay.... if it was a trojan, I'd figure they'd grab these as fast as possible. I change the passwords anyway.



8) Send info to Google. I don't remember who invited me, though, and that's a key part of the info they want if they are to talk to you about recovering your account.



9) Begin to investigate further how this happened. Several possible security holes:





First thought: Trojan. I've only run one suspicious file lately, a keygen. Always risky, yes. It got past Nod32 Virus checking, but I decided to run it past SpyBot and AdAware. Clean. So I submitted it to VirusTotal.com for scanning, reports as suspicious, but further investigation shows that what it finds is that the file is UPX packed - a very common method for making files smaller and in no way a security risk. The file is clean.

Other open trojan/virus. However, I'm running a fully patched Vista with Defender and Nod32 AV. Also the SpyBotscan is clear, and a McCaffee online scan is clean. It is possible there's a new one out, but I don't see any evidence of one (and I'm good at this kind of thing). I have a very good grip on processes that run on my system, and there were no unexpected processes running, not even under services (you use Process Explorer to see this).



IE/Firefox Exploit. Possible, but not likely. I'm running fully patched IE7, and Firefox 2.0.0.12. The only known exploit in this version of Firefox is a directory traversal, which I have READ can only access things in other extensions. My source could be wrong, and this is a big concern. I <em>did</em> use IE7 for a few hours this morning just to see how it performs these days (I was impressed), and installed an addon called IE7Pro. The addon comes highly rated by reputable sites, I'd be surprised if it was a Russian Trojan.



I had to call RoadRunner tech support yesterday due to some cable modem problems. As usual, they won't give tech support if you have a router attached, and they can see on the other end what the modem is hooked to. So I had to connect my computer directly to the modem, no router. Of course, that then meant NO FIREWALL. And I forgot to plug my router back in for over 12 hours, thus the changing around of modem stuff this morning that threw me off on the ICQ account reconnects. So any potential remote exploits were wide open to the world for 12 hours. Is Vista so vulnerable it'll be hacked in 12 hours or less without a hardware firewall? Maybe not - see the next bit.



I realized that not only was my GMail password stolen, but my ICQ password as well. What did these two have in common that my eBay and PayPal accounts (not stolen) don't? They are BOTH STORED IN PIDGIN for my IM LOGINS. Pidgin is an open-source Instant Messaging client that is very popular on Linux. There's also a Mac version called Adium, and it has a decent following on Windows. It stores passwords for your IM accounts, thus had my GMail password for the Google Talk account, and my ICQ password. Especially interesting is that I never use my ICQ account - I set it up in Pidgin nearly a year ago and forgot about it. I probably haven't entered that password on an actual webpage since the 1990s, since I have no reason to go to ICQ's webpage. So no ICQ password in IE or Firefox cookies. It ONLY exists in Pidgin's stored passwords. This means <strong>the stolen passwords came from Pidgin</strong>. Now that could have been via a trojan that scraped the Pidgin INI file... But if a trojan is already on my system, why wouldn't it go for my Firefox or IE stored passwords, where it would find PayPal and eBay? And it couldn't be a keylogger, since I haven't typed the ICQ password for nearly a year.

So that leaves a hole in Pidgin itself, or one of the plugins. The only Pidgin plugins I have are the plugins recommended on Pidgin's site sometime last year. No they weren't updated - they have no autoupdate mechanism for plugins, and I rarely used them. Pidgin itself was current until just today, I got an update notification while I was trying to figure this all out. If one of Pidgin's listening services (it has several) were vulnerable, then by having my router disconnected (thanks RR TECH SUPPORT!), it was left open to the outside world for 12 hours, during which time a scan would have found it, thus discovery of an exploitable system was possible.



At this point, I'd lay 75% odds that it was a hole in Pidgin. Of course, knowing the open-source community the way I do, if it is an unreported vulnerability or one that's considered low-key (as in only pidgin data is vulnerable, not a full system exploit... but enough to grab GMail and ICQ passwords), then chances are they will never admit the hole existed unless someone posts it. Unlike MS if someone posts it, they would of course fix it. Except I can't take the chance that my new accounts will be hacked too, so I reinstalled Windows. I'm not debugging their software for them, not when it is my private information at stake. Chances are no victims of this are even aware of how the info got out. The general assumption by the whole world is it is A) Weak password, Fishing attempt, C) Trojan. If it was just my GMail, I'd say it could've been C, probably not A but minor possibility. Definitely not B, I'm way too careful. But my ICQ too? That rules out A and B completely, as the odds of both my GMail and ICQ being brute forced on the same day are nill, and I haven't typed my ICQ password in over a year, so it couldn't even have been accidentally fished. And a Trojan - why go for the Pidgin config file?? Most systems won't even be running Pidgin.



I could be wrong about the source of the leak... which is why despite all the security software I could get my hands on telling me the system was clean I still wiped the drive.



The fact that I no longer have that particular gmail account doesn't pain me much. I have domains I use for most of my email now (also just changed the password on those, domain theft is common but I don't have any identifying info for them on my GMail). Unfortunately, having emails all the way back to 2005 readable by an extortionist in Russia isn't quite a minor deal. I believed the whole bit that it was safer on their server than my PC, so I had all my mails forwarded to Google since 2006. This means that any amount of potentially damaging info - such as all my serial numbers to Stardock products, and my Stardock password, are now in Russian hands. Websites that send passwords via email (bad bad practice) are all compromised. Lots of personal information is available. I have local copies of all my GMail up through about two weeks ago, so I can sift through to see what's out there, but it will take time to cover all bases and these guys know what they are looking for. Other things could be compromised already, and I don't even know it yet.



Fact is, I'm rather fing peeved off about this. I have a very good track record. I know what's safe amd what's not. I haven't been infected with a virus EVER except for one that clearly was a room-mate's doing (she was like "hey this ebook i got on emule on your pc won't open, I tried it five times" when it was a frickin EXE file). I avoided viruses back in 1991 on the BBS systems when they were rampant, on IRC in the 90s, and I know every nook and cranny of the internet and Windows. I don't fall for things. I run multiple security precautions. I submit suspicious files to quite a bit of scrutiny before I run them. I keep windows updated. Yet one little hole is all it takes, and from what I've read Google will do very little to help you in a situation like this.



Rant over.



(UPDATE)

a href="http://www.mail-archive.com/foss-nepal@googlegroups.com/msg04114.html

I've found an advisory that points out that Pidgin stores its password file IN PLAIN TEXT! I'm now 100% certain the passwords were stolen from Pidgin, though the hole that allowed someone in could have been elsewhere. Any hack/trojan that could get a file from my home directory would therefore have access to this file. I cannot say for certain how the hacker got access to the file - it may or may not have been a remote hole in Pidgin as I initially suspected, but the fact that Pidgin stores its passwords in PLAIN TEXT and that one of the passwords stolen (my ICQ account) ONLY exists in Pidgin and nowhere else on my system (for years), there is no other place it could have come from but the Accounts.XML file.



Upon checking, yes, this is true. Accounts.xml is the file and it has all plaintext passwords. If you use Pidgin, you better hope your system is locked down, because you don't even have the simplest of protection if someone can get the file.

Here is the argument the Pidgin Developers give for giving away your passwords:

http://developer.pidgin.im/wiki/PlainTextPasswords