Noticed a phone that isn't mine logged into my google account the middle of last month

[primetime]

Ok after a major panic attack the pw is changed and the device removed. What am i doing wrong? I did change the hole thing to 2 step verification for the future, So that should help. It scares the hell out of me, thinking of the damage that could be done if someone can log into your google account.

 

[EniGmA1987]

Remember that your 2-factor auth should not be using the google authenticator app. Texts probably arent good either if you have an Android device since google has hooks that allow auto reading of OTPs through text just like hooks in the authenticator app that are the reason it is compromised. Malware can make use of these and automatically take a screenshot of your one time password and send it to another account. In this way hackers can attempt to log in, get your OTP, and then log in.

Email method is the only one that doesnt have hooks that auto input the pass right now. So best to use that method, and use a backup email that is not a google account/gmail.

 

[primetime]

Remember that your 2-factor auth should not be using the google authenticator app. Texts probably arent good either if you have an Android device since google has hooks that allow auto reading of OTPs through text just like hooks in the authenticator app that are the reason it is compromised. Malware can make use of these and automatically take a screenshot of your one time password and send it to another account. In this way hackers can attempt to log in, get your OTP, and then log in.

Email method is the only one that doesnt have hooks that auto input the pass right now. So best to use that method, and use a backup email that is not a google account/gmail.

im kinda hoping the new cryptic pw is good start. This hole thing has opened my eyes, probably before any real damage was done. (i believe) I have no reason to believe whoever if was got past the second pass phrase and maybe that kept them from locking me out? This is what drew my attention:

Good idea on the recovery email,so i need to create another and WILL do that soon. I dont want to even imagine the pain of getting locked out of ones primary email account. Im going to reread the 2 step verification and try and make sure it is done the way you suggested...thks

 

[Machupo]

and use a hardware 2FA key (yubikey/etc) if you really want to go high and right.

 

[primetime]

and use a hardware 2FA key (yubikey/etc) if you really want to go high and right.

yep.....i started using Bitwarden for making and keeping all those new pw's uncrackable. I dont know how i got by with out it now

 

[x509]

yep.....i started using Bitwarden for making and keeping all those new pw's uncrackable. I dont know how i got by with out it now

I've been using LastPass but Bitwarden also looks attractive. I never heard of Bitwarden until just now, even though I have read any number of articles about the top password managers.

Before using LastPass, I used Dashlane for a bit but I found it hard to use on iOS so I switched.

 

[Dopamin3]

One time I thought this happened to me... But I used an Android emulator where I signed in (BlueStacks IIRC). It reported as some random Samsung device too. Lol

And Bitwarden is awesome for those who are looking into it. Love the open source part of it.

 

[travm]

I just write my stupid long passwords in a notebook. Works great.

 

[Dreamerbydesign]

Ok after a major panic attack the pw is changed and the device removed. What am i doing wrong? I did change the hole thing to 2 step verification for the future, So that should help. It scares the hell out of me, thinking of the damage that could be done if someone can log into your google account.

Honestly anyone without 2FA in this day and age is asking for trouble if you use that account for anything important. Along with a secure password you should be fine. But in this case whatever happened, the damage is done.

 

[Dreamerbydesign]

One time I thought this happened to me... But I used an Android emulator where I signed in (BlueStacks IIRC). It reported as some random Samsung device too. Lol

And Bitwarden is awesome for those who are looking into it. Love the open source part of it.

I also recommend a PW manager.

 

[primetime]

One time I thought this happened to me... But I used an Android emulator where I signed in (BlueStacks IIRC). It reported as some random Samsung device too. Lol

And Bitwarden is awesome for those who are looking into it. Love the open source part of it.

you know....i have looked at that program (BlueStacks IIRC) once upon a time, but im thinking i would remember it being it was just a few weeks ago..BUT that would explain a few things since aside from the log in, i cant find anything strange that took place. IM going to say this is at least a possibility

 

[primetime]

I just write my stupid long passwords in a notebook. Works great.

I assume maybe your joking? I highly recommend trying out one of the pw managers. I like it cause i can easily pull it up on phone, laptop or desk. Some many times i have been on the road, and couldnt log into what ever, but those days should be over.

 

[travm]

I assume maybe your joking? I highly recommend trying out one of the pw managers. I like it cause i can easily pull it up on phone, laptop or desk. Some many times i have been on the road, and couldnt log into what ever, but those days should be over.

I like the notebook. More difficult to hack.

 

[primetime]

I like the notebook. More difficult to hack.

point taken....if for some possibility bitwarden was cracked OR whoever figured out a login and Master password it would be Extremely bad since it has all your info in one place. (Like holy shit bad)

 

[travm]

point taken....if for some possibility bitwarden was cracked OR whoever figured out a login and Master password it would be Extremely bad since it has all your info in one place. (Like holy shit bad)

I also don't have to remember the password to my passwords, and if someone tries to steal it, I have the opportunity to break their knees. Highly effective low tech solution

 

[x509]

Honestly anyone without 2FA in this day and age is asking for trouble if you use that account for anything important. Along with a secure password you should be fine. But in this case whatever happened, the damage is done.

Some of the high value sites (like the bank) have already implemented 2FA that is easily done, using a text message code sent to your phone. eBay once gave me a one-time password card for use in login, but that stopped working recently. In any case, they now use a phone text message.