Google just reported a "Critical security alert" What's going on?

I got this email from Google

“Google prevented someone from signing in to your account using a non-Google app. If this wasn’t you, they know your password and you should change it immediately.”

Based upon the IP address and time, it was my desktop computer and I was sleeping. No one else could have physically attempted it.

Do I have reason to be concerned?

It’s probably a phishing attack of some kind. If you are really concerned then close out your browser, reset your computer, go to your Google account directly and change your password…or call up their customer service and talk to them directly. Don’t click on any links in the email that say something like ‘click here to change password’. Don’t do anything with that email except delete it.

I don’t think it’s phishing, the email seemed legit… from the domain:

That seems legit, true, I’m always very careful about vendors sending me stuff…or seeming too. If you are concerned, then as I said, go into your Google account (don’t use any links, if any, in the email) and your password to something non- mnemonic (I usually use a password generator using strong password characteristics).

Whether you think it’s legit or not, I’d still be concerned and probably change my password ASAP. Look into changing your code phrase or whatever they have you using for recovery as well, as sometimes hackers who gain access to your account will simply note that for future use.

Considering that Google regularly marks its own alert notifications to me as Spam, I’m not impressed with their precision.

Note that the “From:” part of an email is easier to forge than the return address on an envelope. You have to look at headers (and know how to decipher them) to find the actual sending machine.

Phishing attacks usually are trying to get you to click on something which leads to a Very Bad Page or to download something Very Bad. The addresses these links go to are often a tell*.

ASSUMING that the email program/site will allow you to look at these things!

MS’s likes to scramble links and not let me see the actual email header. Genius move there.

Never click on anything on such an email. Open up a new tab, go to the site directly and check things out if you are worried.

  • But some links start with a legit looking address but is followed by weird gibberish. There can be hidden redirects embedded there that take you to a nasty site.

Let’s be careful out there.

Definitely. You can usually mouse over links and such and it’s generally pretty obvious that they are a scam just based on where they are taking you. They will put something that LOOKS like whatever they are pretending to be, but it’s often got extra characters or other tells. I never click on anything in an email, even if I really think it’s legit.

Regardless of whether it actually is from Google or not, the OPs best bet is just close the email and go to the vendors site independently and change his or her password manually.

I keep getting emails from Steam saying somebody in Russia is trying to log in to my account. They have never succeeded, but they have succeeded in getting correspondence from Steam to be sent to me in Russian (except for the email telling me somebody tried to log in, for some reason). I’ve changed my password twice, now.

Set your Steam account to do two factor authentication…that should stop what you are describing. I had a similar issue until I did that.

I haven’t got a message like that recently, so I can’t confirm the text. And you need to be very careful about clicking on links in any message that suggests you ‘change your password’. But Google sends out messages like that all the time.

A ‘non Google app’ is pretty much any program that runs on your desktop. And modern computers may wake in the middle of the night to do something, and when awake may do anything else. And the time given by Google will either be London time (‘universal’ time), or the time at the location they ./think/ is the correct location.

Google wants you to use Android and Google Apps for everything: they are in competition with Apple and Microsoft. They aren’t very subtle about saying so. You get a message when you do something different. Normally, with some thought, you can identify what you did that was non-Google, even if the time and location are wrong, and your computer did it for you.

I just don’t like that Steam has their own authenticator app that only works for Steam rather than partnering with Google or MSN or one of the other solutions that provides codes for many products.

Have you got any extensions in your browser that either a) have been authorized to access your Google account, or b) could have gone rogue?

I use IMAP to connect to a GMail account, and whenever I travel I get those security alert emails just for being on wi-fi I’ve never used before. So it’s possible your ISP gave you a new IP address in the middle of the night, and then Google saw a login from an unknown IP, flagging the account. It’s a very low bar that borders on fear mongering. The first time I got it while traveling I did go ahead and change my password, but then when I got home they sent me another email warning because I guess they flushed all the old IPs along with the password reset.

Two factor is less secure than regular old passwords. That’s right. Less secure.

There’s a lot of Security Theater out there. This is an example.

Anyway, I’ve suddenly been getting a lot of phishing scams lately supposedly from GMail, etc. So I’ve checked on a few. Most have obviously incorrect “From:” fields, etc. But one was clever. Right “From:”, the links seemed to be at first glance to be Amazon, but there’s a ton of odd stuff finishing off the URL that no doubt sends you elsewhere.

Steam two factor doesn’t use SMS. Their app has an integrated token generator that creates a unique five character code at whatever interval they’ve decided on.

So how is it sent? The whole point of 2FA is using a separate communication path. Without that you are basically using a complicated password system.

IMHO it is not phishing. It is real and important.

I got a similar message (on my phone) on the same day. Like K364 I saw that the actual sender was, which seems legit. (FWIW my Google email is a secondary account which I use only for subscriptions such as The Straight Dope & AWAD.)

I went to my laptop, signed into Google, and went to My Account. It showed a sign-in attempt WITH MY PASSWORD from an unknown device. I traced the IP address, and it showed a location in Chicago’s Chinatown from a server in Brazil. (I live in the Chicago suburbs.)

That was scary enough for me. I changed my password and enabled 2-factor authentication. Furthermore, I confirmed that only my laptop & phone are authorized devices.

I strongly recommend to K364 (and anybody else in a similar situation) to do the same.

If Steam Guard works like Google or MS Authenticator apps, it’s not sent. It uses a unique code generated when you first set up the app ( for each login) that is combined with the time on your device.

If fact, both the Google and MS apps will work in airplane mode.
Sent from my iPhone using Tapatalk

Ergo not 2FA.

Pay attention folks! Anything can be put in the “From:” field. You can put “From:Jesus@PearlyGates.Heaven” there. Do not trust that field at all.

(I once had a fellow Computer Science faculty member who didn’t believe me on this. I immediately sent them an email from the President at the White House.)

It is exactly 2FA. The two factors are your password and the code generated by the authenticator. There are also fobs that display a number that changes every minute or so that provide the same function as the app.

Other possible option for components of 2FA are biometrics. ie retinal or fingerprint scans.
The previously mentioned fobs now frequently include a USB plug that can be plugged into a system so you don’t have to type in the code.
Common Access Card (CAC) that have to be inserted into a reader when you log in.

This is by no means a comprehensive list, just some of the most common measures.