/mail/community?hl=en
/mail/community?hl=en
5/16/10
Original Poster
Waka713

Anyone's accounts being accessed from China?

I found that my account was either being spoofed or was hacked into. I kept receiving rejected emails that I never sent.

I checked the "Last Activity" details and found there was an IP access from China, which would have no connection to me whatsoever.
123.6.239.30

I went to http://www.ip-adress.com/whois/ to lookup the IP address and was provided with this information:
123.6.239.30 server location:
Dangan in China
123.6.239.30 ISP:
China Unicom Henan province network

Searching Google, found another user with the same issue
http://www.neowin.net/forum/topic/901316-my-g-mail-account-has-been-comprimised/


Can Google seek remedial action from this China Unicom Henan network to stop this madness, assuming the provided information is correct?
Community content may not be verified or up-to-date. Learn more.
All Replies (12)
bkc56
5/16/10
bkc56
If your account has been compromised/hacked/stolen you will need to check and fix at least all of the following settings.

But first you need to check the bottom of the Inbox and make sure your account is not open at any other locations.  If it shows additional locations, open the Details window and "Sign out all other sessions".

Account Security:
Settings -> Accounts and Import -> Google Account Settings -> Change Password [pick a new secure password]
Settings -> Accounts and Import -> Google Account Settings -> Change Password Recovery Options [verify secret question, SMS and recovery e-mail address]

Potential Spam:
Settings -> General -> Signature [make sure nothing as been added]
Settings -> General -> Vacation Responder [make sure it's disabled and empty]

E-mail Theft
Settings -> Accounts and Import -> Send Mail As [make sure it is using your correct e-mail address]
Settings -> Filters [no filters that forward or delete e-mail]
Settings -> Forwarding and POP/IMAP -> Forwarding [disabled or correct address]
Settings -> Forwarding and POP/IMAP -> POP Download [disabled]
Settings -> Forwarding and POP/IMAP -> IMAP Access [disabled]

Additional Information
Keeping account secure:  https://mail.google.com/support/bin/answer.py?hl=en&answer=46526
Protecting your account:  https://mail.google.com/support/bin/answer.py?hl=en&answer=29407
More account security info:  http://www.google.com/help/security/
If your account is compromised:  http://mail.google.com/support/bin/answer.py?hl=en&answer=50270
Someone using your address:  http://mail.google.com/support/bin/answer.py?hl=en&answer=50200
Google Employee comments:  http://www.google.com/support/forum/p/gmail/thread?tid=560d53dee40be5e6&hl=en&start=70
kyle989z
5/16/10
kyle989z
This happened to me on May 12th there were two different IP addresses from china but the only one showing now is 
UnknownChina (61.153.7.154)May 12 (4 days ago)
Bobjoe727
5/20/10
Bobjoe727
Same thing happened to me on May 10th and 11th.
SuperDLS
9/10/10
SuperDLS
This just happened to me on Sept 8th AND Sept 6th...  Can Google do anything to prevent this (aside from the settings listed above).  Obviously I AM NOT IN CHINA....
salvadorhol
9/16/10
salvadorhol
Today I log in and got the alert that my gmail was access from china. Today is September 16, 2010. On the account activity details, it says my account was accessed on September 9, 2010 by someone in China with the following IP: 123.154.13.61. 
Why did gmail wait 7 days to alert me? 
Maybe the folks at Google can create a setting to block IPs from countries or states that you know you will not be traveling too. 
sswartzl
9/27/10
sswartzl
This just happened to me a few minutes ago.  I generally send mail via this account using IMAP from Mac Mail, but today I used the web interface.  As soon as I logged in, I was prompted to provide a cell number as a new password recovery option.  I provided one, and I see that it's listed on the settings page.

Right after I logged in, I sent one message, and then saw the warning about multiple IPs using the account.  The other one was  China (115.49.94.57).

I will follow the steps above, but I'm not seeing how this was hacked, unless Google's site itself has been compromised in some way. 
buronga
11/18/10
buronga
I've changed my password and checked all, as above (nothing had been changed). How can I stop this happening?
Does gmail actually do anything about this? They haven't put any information into this thread. I'm not happy that my security has been invaded in this way. I am happy there was a message on my account to let me know when I logged in. Is changing passwords the only advice gmail give?
bkc56
11/18/10
bkc56
Is changing passwords the only advice gmail give?

No, there's the full checklist (posted above, and with more detail here:   http://knol.google.com/k/the-c-man/how-to-recover-a-hacked-or-compromised/3p9k5zywla4ku/7?pli=1#When_you_reclaim_Your_Account )

But the BIG question is how they harvested your password in the first place.  Did you use a computer infected with a keylogger or other malware.  Did you get tricked with a phishing scam?  Did another web-site you use get hacked and using a common password allowed them into your GMail account.

Until you fix that issue, your account is open to be compromised again.
buronga
11/18/10
buronga
Thanks bkc56.
I did look at the advice above and all was as it should be.
I only use a computer at home and work (a school) so that will limit keylogger/malware activity (I'm very careful with what I download/open). I guess the only (?) option is the other website and common password route.

I'll take more care though and see if that fixes things.
buronga
11/23/10
buronga
I've just realised that after having my account accessed from China and changing my password (not sure which has caused it) that I have no contacts left at all with my account. Has this happened to others? Why would it have happened?
bkc56
11/23/10
bkc56
Why would it have happened?

Because the person who compromised your account deleted them.  Hackers often delete contacts, e-mail history, and often the entire account.  That's why having your own backups are so important, so you can recover from a compromised account.
ropenstein
2/27/11
ropenstein
Here's a theory. I was googling this topic and found a site with a gmail logo and sign in, but the URL was google.rs not google.com. Is this a phish?
http://www.google.rs/support/forum/p/gmail/thread?tid=4993bd97e7e124f5&hl=en
Were these replies helpful?
How can we improve them?
 
This question is locked and replying has been disabled. Still have questions? Ask the Help Community.

Badges

Some community members might have badges that indicate their identity or level of participation in a community.

 
Expert - Google Employee — Googler guides and community managers
 
Expert - Community Specialist — Google partners who share their expertise
 
Expert - Gold — Trusted members who are knowledgeable and active contributors
 
Expert - Platinum — Seasoned members who contribute beyond providing help through mentoring, creating content, and more
 
Expert - Alumni — Past members who are no longer active, but were previously recognized for their helpfulness
 
Expert - Silver — New members who are developing their product knowledge
Community content may not be verified or up-to-date. Learn more.

Levels

Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:

  • Post an answer.
  • Having your answer selected as the best answer.
  • Having your post rated as helpful.
  • Vote up a post.
  • Correctly mark a topic or post as abuse.

Having a post marked and removed as abuse will slow a user's advance in levels.

View profile in forum?

To view this member's profile, you need to leave the current Help page.

Report abuse in forum?

This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.

Reply in forum?

This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.