Google told me my account’s been hacked by government-backed attackers–should I freak out?
When you’re told “government-backed attackers may be trying to steal your password”, your first instinct may be to totally panic.
That’s it. Time to change your name, hit the road and never look back.
Slow down. Here’s what those warnings actually mean.
Google explains it sends these messages to let you know a sophisticated hacker trying to use phishing, malware, or some other crafty maneuver to gain access to your account. Many journalists and academics receive these alerts, but getting a warning doesn’t mean you’ve been hacked, or that there’s any kind of widespread attack.
Better safe than sorry
If there’s even an inkling of suspicion that an account has been compromised, Google jumps on it. According to Shane Huntley, a member of Google’s Threat Analysis Group, “The notice reflects our assessment that a government-backed hacker has likely attempted to access the user’s account or computer through phishing or malware, for example.”
If you’re curious about the details of the possible attack, well, you’re going to stay curious.
Google tends to not give out any specifics about the attack, the parties associated with it, whether it was successful, or whether it even happened at all.
The warnings are not even always in real-time.
This isn’t to keep you on your toes; rather, it’s to prevent hackers from learning how they were detected to keep them from changing their tactics. If they try a new approach next time, Google might not be able to warn you.
So what should you do instead of panicking?
While a warning does not necessarily mean you’re in danger, you should still take it seriously. Google recommends thoroughly securing your account, and offers several steps to do so. Their Security Checkup lest you see all the devices and apps with access to your account, and double-checks your account recovery method.
Security is a top priority for Google, so they have even more advice to help high-risk users safeguard their accounts:
Keep your software up-to-date. It’s tempting to constantly select “Remind me tomorrow”, but just suck it up and restart that bad boy. It’s for your own good.
Set up 2-step verification on your account. Your second step could be a text message code, or for maximum security, download Google’s Authenticator app or use a Security Key.
Install Chrome’s Password Alert, or a similar browser extension that gives you a heads up when your password is entered on a sketchy login page
General account safety best practices
Make sure the email address of the sender is someone you actually know and can trust. Look at it closely in case it’s just someone with a similar address pretending to be your pal.
Steer clear of any links or PDF downloads if you’re skeptical of the sender.
Encrypt your email. This is a little tricky but it’s a good idea if you’re sending sensitive information or documents.
Haven’t received one of a scary warning yet?
Join the club. Less than 0.1 percent of users receive them. That doesn’t mean these security steps don’t apply to you–everyone should heed Google’s advice. No need to be paranoid, but also no need to skimp on safety.