Google suspicious login

kwikbreaks

Has anybody had one of these? I'm not sure if it was just a brute force attempt or if the password had leaked somehow. I'm 99.99% sure the email is genuine but I still didn't use any links in it to reset my password.

Hi [myname],

Someone recently used your password to try to sign in to your Google Account - [backup email addr].

We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

Saturday, July 11, 2:36 AM GMT+7
IP Address: 223.255.229.67 (subs13-223-255-229-67.three.co.id)
Location: Jakarta, Indonesia


If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.

Reset password

Sincerely,
The Google Accounts team

Anne_Marie_2

Yes have had a few of these, and mine have all been genuine, but it's always been me logging in from somewhere else, not home. If you are not in Indonesia, I'd suggest you change your password.

gunte

Only help I can offer

https://support.google.com/accounts/answer/6063333?hl=en

Jivesinger

You could try logging into your google account via a browser (typing in the URL yourself of course, or using a known good Favourite) and seeing if the Account information on there confirms it? (Not 100% sure whether it would as I've not been in that situation.)

Edit: I see that's pretty much what's recommended in the link gunte posted.

Swipe

I get lots of false positives. Just checked my device activity and it says someone logged into my account from my phone in the US on 7th July. My parents also got one saying someone in Tel Aviv had logged into their account. A few days later I open chrome on my laptop whilst at my parents house and I default to google.co.il so sometimes geo-location detection gets screwed up.

kwikbreaks

Yes I think it's some geo-location fault as I'm currently using Three 3G. It's no big deal to change a password so I did do that.

The only doubt in my mind was that I have been communicating with Three tech support over a fault with a cell and they certainly don't sound like they are UK based. They have my email address and I wondered if somebody had been chancing their luck that the password for that was the same as my Three acount.

arrallas

Do you use a VPN or something like Hotspot Shield to access overseas sites? If you try to access mail whilst connected it will produce the login warnings you describe.

kwikbreaks

I have used TunnelBear occasionally but almost always set to UK location and not at all in the last week or so.

My real interest was whether or not the correct password had been used. I'm not that concerned with random hacking attempts but if the hacker had the password that is both puzzling and troubling. I do have two stage auth enabled so that should have been a longstop anyway.

In truth I think it was just a login by me through my 3G connection and google had a geo location error. Because the cell I've been using has been having issues I wouldn't have thought twice about a login failing and me having to retry it.

paddyrg

I strongly recommend 2FA (two factor authentication) which you can enable for free on any Google account, and it adds a login step where you need a physical token (either a one-off printed pass code from your wallet or a code from your mobile phone or an SMS to the number on the account) as well as your password.

I could tell you my password, but without my phone, it's useless to you.

PayPal also offer this (theirs is SMS based), not as well implemented for mobile, but good if you mostly use a laptop/desktop.

For me, it adds so much reassurance, it's effectively impossible to brute force, phish, key logger, most attack vectors my Google account.

arrallas

kwikbreaks wrote: »

I have used TunnelBear occasionally but almost always set to UK location and not at all in the last week or so.

I would still suspect Tunnel Bear. I occasionally use Hotspot Shield on holiday. It is not set to start with Windows so should not be active unless I need it. I started to get warnings from Gmail about suspicious logins, but always after starting Outlook (and failing to download from my Gmail account). The warnings mentioned logins from Germany, USA etc. Finally I tried to login to this forum and was told that the admin had blocked my ip address! I completely uninstalled HS and the problem has gone. Just because you used a UK ip address in Tunnel Bear does not mean that it is not seen as a dodgy login by your email provider. I know you said you haven't used TB recently, but I hadn't either. Uninstall it and see if it cures things - you can always reinstall later.

kwikbreaks

It was a one-off rejection with a supposed Indonesian IP (which other IP info services confirm atm) and the IP is shown as owned by Three. I've had TunnelBear installed on this laptop ever since I bought it maybe a couple of years back. I really can't believe that it's anything to do with TunnelBear especially as you get a default 500MB per month and I'm showing that as available still.

My best guess is that Three have bought and are using a new IP block and the geolocation information hasn't caught up although given the diabolical latency you see on 3G maybe they really do route the connection through Indonesia.