Tip: Use Gmail’s built-in activity monitor to audit account security

One of my favorite aspects about Gmail is that Google goes above and beyond simple e-mail, having extra features not found in many other e-mailing services. One of these extra features is Gmail’s activity monitor.

Gmail’s activity monitor is a tool that monitors and logs who accesses your Gmail account (IP address + geographic location) and at what time the account was accessed; it also tells you from what device the account was accessed with (mobile, browser, etc.):

Using the recent activity log, one can easily spot if there has been unauthorized access to ones Gmail account – just look for erratic, unknown, or unusual IP addresses. If you find an IP address that does not belong to you – look at the very bottom of the page to see your current IP address – that may mean your account has been hacked.

Do note, though, that just because you find multiple different IP addresses accessing your Gmail account that does not necessarily mean your account has been compromised. You could have accessed your account using different Internet connections (i.e. your WiFi, your phone, your friend’s WiFi ,etc.) in which case IP addresses will differ; you may also be assigned a dynamic IP address from your ISP (most people do) so your home Internet’s IP address will change periodically, and that change may be reflected in the activity log.

To double-check and verify if your account has been compromised, IP addresses can be researched using tools IP tracing tools. These tools provide detailed information about IP addresses, allowing you to determine if the access to your Gmail account was legitimate – i.e. by you – or not.

While you can use any tool you want to research IP addresses, WhatsMyIPAddress is my personal favorite IP address-searching tool because it displays general and geographic information regarding an IP address, in a human-readable manner:

If you come to the conclusion your account has indeed been compromised, you can use the activity monitor to quickly change your password (pick a good one this time):

  • Click on Sign out all other sessions to ensure nobody but you is accessing the account at that moment:

Once you change your password, since you logged everyone out that was logged in, no one but you will have access to your account.

Four more things to note:

  • In addition to changing your password, if your account has been compromised you should consider changing your security question/answer and verifying your recovery e-mail address and phone number are accurate. If someone broke into your account, they also could have figured out the answer to your security question (or even changed the question/answer), and/or modified your recovery e-mail address and phone number. All three can be changed via Google account password recovery settings:

  • You do not have always have to manually access the activity monitor to view for suspicious activity. Gmail’s activity monitor has the ability to be set to automatically issue you alerts when it discovers odd access to your account:

By default the activity monitor is actually set to automatically issue you alerts; so you don’t need to turn it on yourself.

  • The activity monitor is accessible by clicking on Details at the bottom of your Gmail account’s page:

  • The activity monitor is available on regular Gmail accounts as well as Google Apps accounts.

While the Gmail activity monitor is no protection against hackers, it is an easy way to clean up the mess after the fact. *Cough* Gawker’ed *cough*

Have any other useful Gmail tips? How about tips regarding other e-mail services? Share with everyone in the comments below!

Thanks IainB!

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

31 comments

  1. someone

    I like the FlagFox firefox addon to provide me with is site down or me, my IP/info, WOT/Safe Site, and a whole lot more. I like the convenient access to those tools via right-click in URL field. You can add actions; don’t know if you can edit what’s already there but you can hide and add action to essentially replace.

    I’m curious how Google’s https works in terms of privacy. If you use https connection can they still log, track and provide (e.g. if ordered by law agency)?

  2. Dru

    @Tortuga: I’ve been trying to dig up a mail aggregator I read about recently. Not sure which it is, but it’s like Zimbra or Inbox.com. I think it’s a desktop client; I would prefer to stay away from a web service. I’m looking to pull Yahoo, Gmail, POP3, etc into one place. I’m concerned that forwarding rules may mean replies go back to my email account instead of sender.

    I’ve not used Thunderbird, but have a “someday maybe” project of migrating from M$ Office; at this point, Thunderbird is probably where I’d look first for email.

    I appreciate your observation that reducing email accounts has positive security impacts. I plan to go to all my online accounts and review what info I’ve got “out there”, change email address to one I’d use exclusively for online registrations/forums (not friends and family and not financials), and set long secure passwords. One nice thing about Outlook is I can pull in multiple POP3 accounts and can through rules auto-file based on account into separate folders. I’ll probably do that once I iron out this 3-account idea I’m kicking around.

    As an aside, I started using Lastpass today and I like it. I have been using Sticky Passwords from GOTD for a month or two and really like the functionality it provides. A huge help with setting better passwords!

    I’m not sure I can give you good feedback on your thoughts, but if I were managing many email accounts I would want to consolidate them (I can’t remember the last time I checked my Hotmail and Gmail accounts, and my Yahoo one languishes months between checks), and eliminate what I could. I defer to others to give you input on Thunderbird; I’ll be watching for those comments to help me with my “someday maybe” project.

    Cheers! Happy new year!

  3. Tortuga

    @Dru: Hello Dru

    Well, 3 accnts!!? That would be great to have «only» 3 accnts!
    The way we set it up, we have 1 accnt per machine »» for Freebies /registrations & whatnot.
    Also have business & personal accnts.
    All in all its A LOT of stuff to check /verify / cleanup / keep up with /change security/ verify pwrds /… And we arent even on F8, Twitter and all that Social (waste of time) crap.

    And my husband doesnt like to do any of it, so guess who does it??!!
    Having hard time keeping head above water as they say *sigh*

    But as you say, FWding everything to 1 central location is a good idea, not only to manage it easier but also for security reasons. I’m thinking of redoing a new setup w Thunderbird soon.
    What do you think?

    See you around
    Peace

  4. Dru

    Maybe having 3 accounts would be a good idea? I think Ashraf mentioned somewhere he had more than one. I think I think maybe 3 accounts would be good: 1 for all secure stuff (banks, credit cards, etc), 1 for forums and registrations (may get spammed), 1 for friends and family. You can aggregate into one place by forwarding rules or 3rd party solutions (I came across one recently, forget the name, but it can pull together gmail, yahoo mail, pop3, and others).

  5. Tortuga

    Hello Ash

    Thanks for reminding us to be more vigilant.
    I knew all that, but still hardly ever check.

    One thing we should verify regularly is GMail filters – and make sure all the filters are *our* filters.
    Have heard horror stories of people that had the accnt compromised, but the hackers only added/changed a couple of filters to redirect Bank info, statements, transactions, to their own acct.
    People w a long list of filters like my husband & I have, in several accnts, it will not be immediately apparent that anything has changed.

    On the other hand, if we do all we should do to be safe, we wouldn’t be able to do anything else:
    • Regularly change pwrds, for each accnt (eMail, bank, pin, access codes, … , … ) check all the logs, do security spot checks, check statements, balance the books, get deposits & all payments on time, get all paperwork done, …
    •And when one thinks its all done, hell no – Have to learn new ways to defend ourselves against new threats, and on and on and on it goes.

    It’s maddening – There is just *no* time to do it all!
    Phew, just thinking about it – I’m tired!!!

    Laters :)

  6. Ashraf
    Author/Mr. Boss

    @Dru: Well you can’t keep OpenDNS from knowing about you if you use them because you are routing all traffic through them, meaning even if you use a proxy the traffic is being routed through OpenDNS then wherever it needs to go. I honestly don’t recommend OpenDNS to people because of that potential privacy issue. I trust my ISP more than I trust OpenDNS.

    And trying to prevent your ISP from knowing who you are is like trying to buy a car without giving your name. Really isn’t going to happen. In fact, I would say trying to buy a car without giving your name is easier than trying to hide from your ISP.

    That said, I have heard Tor is a good way to protect anonymity, but I have never personally used it so I don’t know. One thing you should consider with Tor, though, is that it doesn’t magically protect your privacy. If I understand how Tor works, it routes traffic through Tor “nodes” voluntarily setup by people. Who is to say one of these people isn’t using their “node” as a way to mine the data of people who are routing traffic through it? Similar concept applies to proxies.

    Finally, trying to hide from Google is no longer a simple matter of not using their search engine. Thanks to Google AdSense, Google is everywhere on almost every website, including dotTech. To fight Google you 1) Need to stop using all their services and 2) Opt out of their ad cookies (see http://www.google.com/privacy/ads/) and 3) I am sure there are other things you need to do too.

  7. Dru

    @Ashraf: Wouldn’t Tor, Ixquick, and proxies help prevent ISP, Google, and OpenDNS from knowing all about you? What resources do you recommend to learn more about this and practice safe computing in a world marked by growing surveillance/monitoring/profiling?

  8. Ashraf
    Author/Mr. Boss

    @alan: Google may or may not know everything about you. But if you are using OpenDNS, they sure do =P

    @Everyone: The mention of this husband-wife e-mail thing made me look it up, out of curiosity. While I am not making a judgment call on what the husband did (right or wrong is not for me to decide) I do find it odd that valuable resources are being spent to prosecute a guy who looked at his wife’s e-mail. Don’t they have drug dealers or murderers or other more dangerous crimes to deal with?

  9. alan

    @Dru:

    A large network of bargain grocery stores sends me a weekly email of special up-coming bargains.
    As I read each one Gmail would instantly select one or two and suggest them with calendar reminders.

    How clever of Google Gmail to guess what would appeal to me,
    they seemed to know my weekly shopping list as well as my Tesco Loyalty card ! ! !

    Alan

  10. Dru

    I read an article here in US that shortly (within hours) after using her Gmail account to email a family member regarding a particular form of cancer that she started seeing medicine ads relating to cancer in her adverts area. The conclusion was Google mined her email for more targeted ads. This and the massive profile type of information that’s being collected, aggregated, and mined has kept me from gmail. Is this ridiculous on my part or smart?

  11. alan

    Several hours ago I changed my primary DNS from OpenDNS to Google DNS = 8.8.8.8.

    Since then http://WhatsMyIPAddress.com has given me several sessions of successive failures of the type I previously posted, and several sessions of success.

    I think either OpenDNS has random sessions of difficulty resolving WhatsMyIPAddress.com,
    or Google DNS has random sessions of winning the race with a resolved the IP number
    and other times Google resolves too late and OpenDNS has jumped in with its spurious error report.

    Right now I am lucky and/or Google DNS is winning the race,
    and I launched CMD.EXE and ran
    ping whatismyipaddress.com
    which told me
    Pinging whatismyipaddress.com [67.203.139.152] with 32 bytes of data:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 67.203.139.152:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    I will try that again when Google is losing the race.

    N.B. Although I get a ping timeout from the resolved IP 67.203.139.152,
    when I paste in my Firefox address bar 67.203.139.152
    I get a page that is blank apart from my current IP address.

    I have found the official OpenDNS forum.
    Posting now – will report here any further updates
    Alan

  12. Emrys

    Yup. I knew about this service, that’s why gmail is my main address. And what a hornet’s nest you stirred up with this one. Might as well stick your head in a bee hive. (No don’t…just a figure of speech).:)

  13. meldasue

    @meldasue: Sorry, it’s the prosecution for Oakland County, not the defense, that is trying to portray the guy as a hacker. You’d think that in a area with serious financial problems, they’d have more important crimes to prosecute.

  14. meldasue

    @Rob (Down Under): I had to look this up, because I hadn’t heard of it. Here is the link to the Detroit Free Press article: http://www.freep.com/article/20101226/NEWS03/12260530/Is-reading-wife-s-e-mail-a-crime?-Rochester-Hills-man-faces-trial#ixzz19QnWE3fq

    It’s an experimental case – they don’t know if they can apply the Michigan anti-hacking law to this case, and it’s somewhat complicated – the man found evidence that his current wife was having an affair with her previous (second) husband, who was abusive. He gave the e-mails to the first husband, who is the father of her child, out of concern for the child. I can see that there might be *civil* law implications here, since the husband shared the information with another person (even though it was in the interests of the child’s welfare).

    However, this is a law specifically written to combat identity theft and stuff like the Gawker hack, and the defense is trying to portray the husband (who is a computer tech by trade) as a sophisticated hacker. Considering that the password was sitting in a notebook next to the computer, it’s going to be hard to make that fly with a jury.

  15. alan

    I have just understood how to use “check another site” and I get
    It’s just you. http://WhatsMyIPAddress.com is up

    Out of interest I also tried .net and .org with the results
    It’s just you. http://WhatsMyIPAddress.net is up.
    It’s not just you! http://WhatsMyIPAddress.org looks down from here.

    Then I tried their nameservers which are reported as down, is that correct ?
    The reports are :-
    It’s not just you! http://ns1.cgpholdings.net looks down from here.
    It’s not just you! http://ns2.cgpholdings.net looks down from here.

    Alan

  16. alan

    @Ashraf

    What is the numerical IP address of WhatsMyIPAddress ?
    I would like to put that direct in my address bar – OpenDNS fails to show me.

    Some while ago great big chunks of the TalkTalk system fell over.
    Many TalkTalk users had total loss of service, but I was lucky – sort off.

    For me I found many sites could not be reached, and most others were slow/reluctant to connect.
    I deduced that most TalkTalk users were like me and used the DNS servers run by TalkTalk,
    and suspected they were unable to cope with the extra burden of re-routing around a broken network,
    so I changed my router settings to OpenDNS and everything was sweet again.

    I am now wondering if OpenDNS has been poisoned ! ! !

    It still reports to me the WhatsMyIPAddress is not loading,
    but both the nameservers are working and something else is wrong.
    The complete report by OpenDNS is below :-

    Hmm, whatismyipaddress.com isn’t loading right now.

    The computers that run whatismyipaddress.com are having some trouble. Usually this is just a temporary problem, so you might want to try again in a few minutes.

    Want more detail? See which nameservers are failing.
    Nameserver trace for whatismyipaddress.com:

    Looking for who is responsible for root zone and followed k.root-servers.net.
    Looking for who is responsible for com and followed b.gtld-servers.net.
    Looking for who is responsible for whatismyipaddress.com and followed ns1.cgpholdings.net.

    Nameservers for whatismyipaddress.com:

    ns1.cgpholdings.net
    ns2.cgpholdings.net

    The servers listed are working, but something else might have gone wrong.

  17. alan

    @Ashraf

    My DNS server is OpenDNS, and my ISP is TalkTalk.
    For me WhatsMyIPAddress is STILL down even though the two servers are listed as working.

    Due to this post I have tried to see what is known about me by WhatsMyIPAddress

    Last week I noticed that Google Gmail was volunteering the information that I live at Leyland.
    A very good guess that missed me by only 4 miles.

    Yesterday it occurred to me that my local B.T. telephone exchange holds the interface between my analogue telephone line and the TalkTalk network, and it occurred to me that Google has access to information which links my dynamic IP address with my fixed local exchange interface, and it may even know my telephone number.

    I am so glad my computer does not have a built in web cam for Google to access ! ! !

    Alan

  18. Rob (Down Under)

    @Ashraf:
    Ashraf, are you in the US ?
    I wonder if they are not reporting it ?
    I know in Australia, the husbands constantly get the wrong end of the deal, when marriages (inevitably) disintegrate, and no one in the government or the press ever notice that, or at least do not report it.
    I imagine US would be even worse than Aust ?
    Which makes me wonder if they are not reporting this ludicrous prosecution ?

  19. alan

    WhatsMyIPAddress is down, further details :-

    ns1.cgpholdings.net
    ns2.cgpholdings.net
    The servers listed are working, but something else might have gone wrong.

    This is very disappointing.
    Has the “Blogger of the Year” caused it to crash by directing too much traffic for it to handle ! ! !

    Alan

  20. Rob (Down Under)

    @Ashraf: In the last 24 hours the Australian TV News programs have been reporting on a gentleman in the US.
    He suspected his wife was having an affair, and decided to use her GMail password (kept in a wee book beside the PC that they both used).
    He actually found evidence in her GMail emails proving that she was having an affair.
    He is now being prosecuted, and faces 5 years jail, if proven guilty (of reading her emails).

  21. Rob (Down Under)

    I bet this article (or the timing of when it was created) relates to the gentleman that is facing 5 years jail for snooping into his wife’s GMail account ?
    I think he should get 10 years jail.
    Then we should look back, and locate every woman that has ever snooped into their partners phone SMS’s, etc, etc, and give them 10 years as well.