From Slashdot:

“A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the hacking tool, is planning to release it in two weeks.”

The solution is to set Permanent SSL in Gmail

1. Sign in to Gmail.
2. Click Settings at the top of any Gmail page.
3. Set ‘Browser Connection’ to ‘Always use https.’
4. Click Save Changes.
5. Reload Gmail.

Thank you for the kind words, it’s good to talk to someone who had the same problem.

I’ve been doing some extensive research the past two days and read some very strange and scary things.

I don’t know if I can use my email address in the future, most likely not. What remains is some fear and distrust.

I also don’t know if I stay with gmail, maybe I’ll switch to the allegedly more secure google apps.

Or I’ll abandon it completely… like so many others throughout the net.

Thanks,
Eddie

Try sending a damage control email to everyone it was sent to… you can see their addresses on the email in the trash bin, and you can apologize, and explain that someone hacked into your account but you’ve now changed the password, and at least some of them (the important ones) will understand.

I think hackers have tools that we can’t even guess at… it’s not just them randomly trying easy passwords, or knowing if we have one we use a lot — they can do it by analyzing keystrokes sometimes, and I’m sure there are a ton more ways they get access that it’s really hard to anticipate and prevent.

Changing the password should work for awhile, anyhow — maybe it’s good to regularly change it up?

cheers
Heather

This rises the question how did they get in?

I had a super easy pass that’s true, but is it so easy to hack?

Anyway, I hope it doesn’t happen again, for most of my contacts I’m a spammer now .

Eddie

Yes, I know how you feel — it was my business account too, which of course looks really bad!

I’m thinking it was a person because:

1) after I changed my password, it didn’t happen again, and
2) I ran numerous virus/worm/trojan removal programs, and they all came up blank.

Another weird thing happened that I only noticed yesterday (because I rarely look at the page in question anymore), but on my Success Unwrapped podcast page somebody changed ONE picture of ONE guest (out of over 60) to a picture of a guitar player in a cowboy hat.

I’m figuring if somebody actually logged in, why would they bother doing just that? So in that instance I’m suspecting some kind of bot through the online program.

cheers
Heather

The very same thing happened to me today.

Unfortunately it hit my business account. Needless to say that I’m devastated.

Have you found out more about the nature of the whole thing in the mean time? Was is a worm or a person?

Eddie

The forums are a little trickier, because they’re so vast at this point that it would take too much time to constantly be manually checking for spam posts.

But feel free to let us know if you see any so we can delete them… just go to http://lwlworldwide.com/support

At least people likely won’t get the idea that WE posted the porn in the forum; whereas when an email goes out from your account, it certainly does give the impression that the person it says it’s from is the one that sent it.

cheers
Heather

I went on to other subjects and I can’t remember which subject I was on when I saw it. I was assuming you probably do a cleanup on a regular basis. I was not offended but others could be.
Ross