/webmasters/community?hl=en
/webmasters/community?hl=en
7/19/15
Original Poster
Mike Silverman

Search Console Account Hacked

So this happened... No idea who the heck this guy is. Went in to my FTP, sure enough, there the file was. I deleted it, reverified with a new file, changed the FTP passwords and Google passwords.

How can I get Google to shut down this dude's account for hacking? This was clearly targeted since he went after both the website and the Google console...


To: Owner of http://XXXX.biz/

Google has identified that joseph...@gmail.com has been added as an owner of Search Console account for http://XXXX.biz/.

Search Console owners have the power to change critical settings that influence the way Google Search interacts with your site or app. Be sure that only relevant people have this access, and that they are removed when they no longer need this access.

What you can do next:

Review the list of owners

Make sure that everyone listed should belong to the list of owners. If not, you can remove users by going to the Users and Site Owners page.

Use our help resources

Read more about Managing Multiple Users and their permission levels.
See the Verification Help Center.
Ask questions in our forum for more help - mention message type [WNC-582900].
Community content may not be verified or up-to-date. Learn more.
Recommended Answer
Was this answer helpful?
How can we improve it?
All Replies (9)
Pedro
7/18/15
Pedro
Hi Mike,

So it's no that your Search Console Account was hacked, but more your site/server was hacked or accessed by someone that got hold of your access credentials.

Make sure you change your access and there aren't other users with access. Check for other registered user accounts for example and act appropriately.
Obviously you should be equally cautious about sharing any access credentials to your Google account. Make sure you didn't share your password with anyone or you didn't log-in to your account in a shared computer, or friends computer.

Good luck
travler.
7/18/15
travler.
Hi Mike

Here are the steps I usually suggest when this happens:


Often this message about new verified owners for your site is the first warning that there is a hack somewhere.
    1. Check your computer/s and other devices for keyloggers,
    2. Remove this new verified owner per the link below and remove the verification method that was used. See https://support.google.com/webmasters/answer/2454036?hl=en Scroll down to the text in red type on the above link. 
    3. Change all passwords, for Google Accounts, server/ hosting, and domain registration.
    4. If you use Google Apps, limit verification to your company's domain (by disabling the Google Apps account, their webmaster tools access will be blocked too)
    5. AND for  good measure, report the hacking gmails to Google at  https://support.google.com/mail/contact/abuse?hl=en

On Saturday, July 18, 2015 at 9:43:51 AM UTC-4, Mike Silverman wrote:

So this happened... No idea who the heck this guy is. Went in to my FTP, sure enough, there the file was. I deleted it, reverified with a new file, changed the FTP passwords and Google passwords.

How can I get Google to shut down this dude's account for hacking? This was clearly targeted since he went after both the website and the Google console...


To: Owner of http://hsgear.biz/

Google has identified that josephig6aef@  gmail.com has been added as an owner of Search Console account for http://hsgear.biz/.

Search Console owners have the power to change critical settings that influence the way Google Search interacts with your site or app. Be sure that only relevant people have this access, and that they are removed when they no longer need this access.

What you can do next:

Review the list of owners

Make sure that everyone listed should belong to the list of owners. If not, you can remove users by going to the Users and Site Owners page.

Use our help resources

Read more about Managing Multiple Users and their permission levels.
See the Verification Help Center.
Ask questions in our forum for more help - mention message type [WNC-582900].
7/19/15
Original Poster
Mike Silverman
Pedro - Correct. I've remediated the issue on the web server and removed his verification file. I've also clamped it down and whitelisted only my IP's to log in there. I suspect it was a hijacked account from an old webmaster.

travler - Solid insight! Reported and hopefully the Google overlords will handle.
7/19/15
Original Poster
Mike Silverman
So it happened 2x more overnight. I've reviewed all the logs on my end and the audit trails show it wasn't my account that was compromised - the only actions in the server FTP that I can see are the ones I've done. I'm working that with the hosting company now.

How do I lock down my Webmaster Tools to ONLY ME? I want to have a "verify with me before adding an owner" level of clamp down.
Pedro
7/19/15
Pedro
Mike,

Any user can have a Search Console account which in turn generates a different string for a website (in case of meta-tag or TXT Record verification). For example, me and you can both verify one website with a meta-tag string, but both strings will be different. This doesn't mean I had access to your console. Can you check which method is being used to verify this other user?

The issues lies as long as there is an open attack vector to your website. You must find out where this exploit is and patch it.

There is no way to lock Search Console to "only you", since only you should have access credentials to your account. If someone else has the password to your Search Console you may have a bigger problem, because likely they can read your emails too.
7/19/15
Original Poster
Mike Silverman
Pedro - 

1. An HTML verification file is being placed on my server in the root directory. I am not placing it there, and it's not being placed there using my FTP account. The hosting company is trying to figure out what login is doing that. Since it's not being placed using my credentials, it's highly unlikely my machine is the source of the access. 

2. I get a notice from Google Search Console that the hacker's email address has been added as an owner on the site in the search console. This happens, logically, after they've placed the HTML verification file on my web server. It's taking on average 45 minutes - FTP upload, verification in Search Console, I get an email.

3. When I get the notice, I go in and delete the HTML file from the web server, change my FTP password (have done this from different computers to eliminate key loggers as an option) and then remove them as an owner in my Search Console.

So the questions seem to be:

1. My web host needs to clamp the server upload down. That's priority 1.
2. Can someone claim the site in their own Webmaster Tools using the verification file without access to my Search Console?

It would seem if someone can claim my site without having the second factor of both my FTP and Search Console passwords, that's a poor practice. All you have to steal is one set of creds and you can take over someone's Console.
Pedro
7/19/15
Pedro
2. Can someone claim the site in their own Webmaster Tools using the verification file without access to my Search Console?

Yes! As long as they have access to your server in some way that's still exploitable.
redleg -
7/19/15
redleg -
From time to time I see hackers add a backdoor to the site that allows them to "create" a verification file.  It can be real tough to find if that is what has been done.  There are some tips on finding a backdoor at  http://aw-snap.info/articles/find-backdoor.php  The one I see used a lot with verification files is the "multi-part" form one, you can usually spot that one in the access logs by checking for the POST data.

In all the cases I have seen where a backdoor was added the site was also hacked with some sort of spam hack, they are not going to add a backdoor just to keep verifying the site. 
Bonedaddio
8/28/15
Bonedaddio
Wow. Pretty much the same thing happened to me. I reaaaallly appreciate Pedro Diaz explaining that ANY user who can hack into my server can place the verification file and become a New Owner, from THEIR OWN SEARCH CONSOLE!!
At least now I know the vulnerability is coming from the hosting company! They admitted as much, but claimed to have the problem solved. This is the 3rd time now. This was a good discussion.
 
This question is locked and replying has been disabled. Still have questions? Ask the Help Community.

Badges

Some community members might have badges that indicate their identity or level of participation in a community.

 
Expert - Google Employee — Googler guides and community managers
 
Expert - Community Specialist — Google partners who share their expertise
 
Expert - Gold — Trusted members who are knowledgeable and active contributors
 
Expert - Platinum — Seasoned members who contribute beyond providing help through mentoring, creating content, and more
 
Expert - Alumni — Past members who are no longer active, but were previously recognized for their helpfulness
 
Expert - Silver — New members who are developing their product knowledge
Community content may not be verified or up-to-date. Learn more.

Levels

Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:

  • Post an answer.
  • Having your answer selected as the best answer.
  • Having your post rated as helpful.
  • Vote up a post.
  • Correctly mark a topic or post as abuse.

Having a post marked and removed as abuse will slow a user's advance in levels.

View profile in forum?

To view this member's profile, you need to leave the current Help page.

Report abuse in forum?

This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.

Reply in forum?

This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.