Hacked Gmail email account

Hello,
This has never happened to me before.  I received an email from a friend but could tell it was not from him.  The "reply to" address is his.  I emailed him back asking if he sent it and I actually received a response but it wasn't from him either.

He has a gmail account.  He just told me his password had changed and not by him...his account was remotely hacked.

We changed his password and reset his recovery information.  Anything else that we should do?
Thanks,
Mags
MagsOwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

awawadaCommented:
You can see the last suspicious activity IP here:
https://security.google.com/settings/security/activity

I have also enabled 2-step verification:
https://www.google.com/landing/2step
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mal OsborneAlpha GeekCommented:
Make sure you don't have a stupid password.  "Pässword" or "qwerty" or "123" are examples of stupid passwords.
0
andreasSystem AdminCommented:
Also ensure his PC is free of malware. Especially if he used such a stupid password before he got hacked.

This examples are also Stupid Passwords:

Stup1dPassw0rds!
ImSoS@f3.
Letmein12#

Good passwords looking like this:

-G1pwll6t#
Ashcn+9+htnssP!
GunWindowPavementScrew
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

rindiCommented:
As mentioned you should thoroughly scan the PC's he uses to access his GMail for viruses, keyloggers, trojans etc. It is more likely his GMail account and password were found out via such a bug on his PC, rather than directly at GMail. For example many email clients or also web-browsers which are used to connect to GMail can be set to store passwords, and those can often easily be read out. If the bug is still active on his PC's it would be easy for the attacker to see the new password.
0
MagsOwnerAuthor Commented:
Hi awawada - I did gather this information when I had him reset his password.  It shows a computer from New York and Nigeria accessing is Gmail account.  They changed his password and retrieval email address and phone - this has been corrected.  He was using a "Stupid" password which has also been corrected.

During Gmail's security Checkup we also found 2 items that have account permissions.  He did not recognize them so we removed them.

I will run some scans when we connect this afternoon but his account Gmail actually seems to have been hacked elsewhere as he wasn't even using his computer.

His bank was contacted via email to transfer money into an account which they did not do but called him.  I am also having him send an email to everyone in his contact list explaining the situation.

If they no longer have access to his Gmail account what other threats may be lurking for him?

Thoughts?
Thanks,
Mags
Rob-Hack.jpg
Rob-Hack2.jpg
Rob-Hack3.jpg
0
rindiCommented:
If they got your bank account, it is very likely that the computer is is compromised, as such info is normally not contained within emails, but often you have it somewhere on the PC.

I would probably install the PC's OS from scratch / recovery partition to make sure nothing bad is left on it. Change the User's passwords on the PC as well, and make sure he has a separate account with admin rights that he never uses, and a standard account which he always uses. Install a good AV tool, like the free Panda AV, and make sure the OS is fully patched. Only install software that is really needed, and be careful when installing that you read all the screens and deselect any additional stuff.
0
MagsOwnerAuthor Commented:
rindi They did not get into my client's bank account.  They simply sent the bank an email, since they were in his contact list, asking him to transfer money.  They did not have any access to his account.
0
rindiCommented:
Yes, but how did they know the bank's account number and what bank. Such info is usually not within any emails.
0
MagsOwnerAuthor Commented:
They did not know any account numbers.  My client has his bank representative's email address in his contact list and they simply asked her to transfer money.  When she was suspicious she replied to the email and when the response came back with a story she called him.
0
MagsOwnerAuthor Commented:
In recently used devices it is now saying that the current device (I am on his computer) is located in Texas...very strange...what do you think is going on?
0
andreasSystem AdminCommented:
maybe his router or PC is hijacked and his traffic is passed through some proxies.

Check the IP that the ISP have assigned to him, also check what IP other pages see when you surf around. They should match.
There are plenty of pages out that will tell you back your own IP. e.g. diverse speedtest pages. (e.g. speedtest.net)

If Is mismatch check proxy settings in the PC used, try to bring in your own laptop and connect it to his router and try to find out what IP other pages see when you are using the web from your device on his internet connection.
Still a mismatch? then the router might be compromised or the ISP is using transparent proxies or CG-NAT Gateways.

It really depends on what ISP you have, what are the assigned IPs and what others will see is your IP to conclude more exactly.
0
MagsOwnerAuthor Commented:
We've checked things out and changing his password to a more complex password has done the trick.  All his devices show the same IP address so we feel the issue has been resolved.  Thanks for all your help!
Mags
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.