



This thread is getting very long. But it's time for a summary post nonetheless.





What is Google doing?





We made some changes today that are allowing us to block hijackers in real time. Accounts identified as hijacked are being sent to phone verification and forced to change their passwords. Typically only a few spams are making it out from these accounts, if any.





It is absolutely certain that the spammers will respond quickly, and try to hide themselves better. So this doesn't mean the problem is solved.





We have many people working on hijacking right now. Some of them are working on medium to longer term projects - look for announcements on these efforts over the next few months. Others are working on shorter term projects which will typically not be announced. For instance, we're improving our hijacking detection system (the thing that generates the red warning bar) to make it faster and stronger. We're also improving the account recovery process to help more people recover their account after a hijacking.





Why we believe Google is not hacked





There has been a lot of discussion of this. I don't want to try and address every theory, but here is some more background.





There is a wave of hijackings impacting many large websites right now. Facebook, Hotmail, Yahoo, Craigslist - all these sites are seeing problems with accounts being stolen en-masse as well. That's because there isn't one underlying flaw that's being exploited, it's the generally poor state of computer security that's the weak link.





We have penetrated areas of the black market and observed stolen accounts being bought and sold. Other companies have done so too. These accounts come in various forms. Some of them clearly leave evidence of how they were obtained, eg, via keylogging viruses and web site break ins. We have seen people selling hundreds of thousands of accounts on various Russian hacker forums, a mix of different email providers. Sadly, these guys don't need to hack Google or Microsoft or any other big company - they can get all the accounts they want via other means.





You can read a report on one recent incident here









That story is about Facebook but I want to emphasize that this is not an attempt to shift blame. This is not a Facebook specific problem. This is a problem that is impacting the entire computer industry right now.





What you can do to help





We all have friends or relatives who use email. We're working on this from our end, but you can help by reminding your friends of good security practice. Read the sticky post in this forum for a great list compiled by MrEvan and the top contributors in this forum.





Quick points you can tell them:





• Use a unique password for your email account.

Never share it with another site, as hijackers can get other sites to send them forgotten password links

• If you receive a mail from a company that asks you to log in, navigate to the companies website directly.

Don't click links in emails especially if they ask you to log in.

• Avoid viruses. Keep your software but especially your web browser and plugins up to date. Avoid pirated software. Use an AV scanner.

Microsoft provide a free antivirus scanner if your friends don't subscribe to one already called Security Essentials.





I hope this helps clear some stuff up.







Good evening everyone,