Google employee spied at my gmail account

15 points by mgjdlsmvoerqp ↗ HN
Google employee spied at my gmail account and activated their 'unusual activity filter'.

What do I do with this? I have a proof. How do I present it to the public? Should I report it somewhere? If so, where?

Did they even had right to do this?

27 comments

[ 3.4 ms ] story [ 72.4 ms ] thread
What should I do before they deny me access to that gmail account? How to mirror that proof?
Set up email forwarding. Sometimes even if they suspend your account, new emails will still be forwarded. Also, make a backup of your current emails by setting up a desktop client (e.g. Thunderbird) over IMAP and let it download all your current emails.

As for proof: saved web pages, screenshots, copies of any communication you have would be helpful. There was one case I know of when someone at Google was spying on users' email, they took the case very seriously and fired him.

As for whether they have a right to: I'm sure they do. Anyone running any email server has the right to look at your emails for purposes of maintenance etc. From their privacy policy: We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

Are you sure an actual, living, human Google employee 'spied at your gmail'? Google states on their website what 'unusual activity' can mean:

http://support.google.com/mail/bin/answer.py?hl=en&answe...

Yes,

I've logged into my account and there was this 'Unusual activity detected' pop-up. At first I thought that someone stolen my password via a Trojan but I don't download anything and my software is up to date.

I've clicked at "more" (or something like that, I can't access the same menu right now) and it showed me the hostname and IP address of the unusual logon. The hostname was 1e100.net, I've checked it and it turns out its owned by Google.

Screen:

http://i.imgur.com/55kUM.png

The IP points to Mountain View and is also owned by Google.

Right now I only have access the list of previous logons and there are my logons and one with the Google IP:

http://i.imgur.com/nTlWg.png

When I check who owns the IP:

http://i.imgur.com/V8a8b.png

I can't access the previous menu which I could access via that security pop-up. Anyone knows how to go there?

I've blurred IPs and dates so they can't track which account it is.

Tell me how I can mirror the original data as proof.

> At first I thought that someone stolen my password via a Trojan but I don't download anything and my software is up to date.

You need a higher standard of evidence. A buffer overflow could root your computer.

Also, I don't believe that you've never downloaded anything - can you show us a screenshot of your installed software?

The login came from Google HQ - even if my PC was compromised, it wouldn't matter since gmail uses data from their data center not my PC.
Then why mention that your PC can't have been compromised?

You're making a big accusation, and I want to see some more evidence. You claimed never to have downloaded anything, which is unlikely to say the least.

1. Can you provide the screenshot of installed apps?

2. Also, let's see the full ip.

Because it was my first thought when I've saw the unusual login alert.

I won't show the full IP until I can mirror that report somehow.

How do you know the IP is from Google HQ? Google has free Wi-Fi in Mountain View, and it seems reasonable that those IPs would be somehow connected to Google.
The logins are often hard to grok if it's a third party API-level access. For example, I believe if you're using a mail plugin that uses App Engine, it will appear to have generated a login from a Google IP block.
I've only used this account via web browser. Never used App Engine.

Would Google service trigger the unusual alert?

i'm skeptical

http://support.google.com/bin/answer.py?hl=en&answer=174...

  1e100.net is a Google-owned domain name used to identify the servers in our network.
  
  Following standard industry practice, we make sure each IP address has a corresponding hostname.   
  In October 2009, we started using a single domain name to identify our servers across all Google 
  products, rather than use different product domains such as youtube.com, blogger.com, and 
  google.com. We did this for two reasons: first, to keep things simpler, and second, to 
  proactively improve security by protecting against potential threats such as cross-site  
  scripting attacks.
  
  Most typical Internet users will never see 1e100.net, but we picked a Googley name for it just 
  in case (1e100 is scientific notation for 1 googol)
it's their servers, not their workstations. could be a plugin, maybe something on app-engine? at least an access from 1e100.net isn't a proof of anything.
It may be they had a legitimate reason to do this (perhaps some suspicious outgoing volume, reports of abuse etc) but whether they'll ever admit this is the case is unknown. I worked at a big email provider and we'd VERY rarely log into customer accounts for anything other than support or abuse. In fact, I would hazard a guess that the only time it happened outside abuse or support was on an internal dev/test system to test updates etc.
Isn't email correspondence treated as a normal letter?

I've thought that The Fourth Amendment to the United States Constitution forbids any kind of mail eavesdropping?

This isn't the first time this would've happened. I remember there was a dude who got fired by spying on Gmail or Gtalk chat logs awhile ago.
(comment deleted)
Note: Google is also an ISP in some areas. It's possible someone on a public Wifi near Google's campus has hacked you.

It's like you're saying that "Comcast employee spied at your gmail account," because the IP came from Comcast.

So, continue being very concerned, but maybe not at Google's expense.

Also, if you don't already use Google Two-Factor Authentication, now might be a great time to start.

Maybe this, as well:

http://superuser.com/questions/75841/what-is-1e100-net-and-w...

This.

Mountain View has free city wide wifi sponsored by Google.

If somebody hacked into your a/c, they would do it, while being on a n/w belonging to somebody else, to try to cover their tracks.

My suggestion : send a detailed email to google/gmail support, with screenshots & times of access. They might be able to dig up gmail logs & correlate with gmail isp mountain view wifi logs.

Thinking about it more, I suspect the Wifi comes from a different IP block.

The more likely answer is that Google developers screwed up, and made some normal, authorized, server access look like a user-level, unauthorized access.

I still vote for upgrading to two-factor, and I agree with trying to get in touch with support at Google to have someone look at the logs.

Go ahead file a complaint with the police and make them get Google to divulge details of the users and take them to justice
You shouldn't be so quick to start lobbing accusations, Google employees can't just access emails and in cases they do, there are procedures in place, also they would be able to do so without triggering the "unusual activity" warning.

Here is a former employee discussing gmail access:

http://www.quora.com/How-many-Google-employees-can-access-Gm...

Incredibly skeptical. As an e-mail administrator going on 10 years, I'd be very surprised if Google needed to use a typical login process to review your mail. It makes no sense whatsoever.
Yes I'd think they can do it without triggering the 'unusual activity detected' alert.
How has HN become Google's customer support hotline recently? I understand their feedback mechanisms are lacking at times and that they're known to browse HN, but this is your problem.

If you have proof and they own up to a policy breach, and you deem it newsworthy by all means post a blog entry.

1e100.net identifies Google's servers, not their workstations, so I'd say it's far more likely that either:

A) You have some unidentified script accessing your account

or

B) You visited a web page that used an XSS attack to intiate some type of account access that you didn't authorize

Neither case implies that you intended this access to occur. Web-based email clients are suceptible to all the same security vulnerabilities as other web apps. In the case of B, it's even possible that the XSS attack was against some third-party service that is authorized to access your email. I know you've said you don't use any of these types of services, but you'd be amazed what you can forget :)

I'd start by looking at what apps you've authorized to access your information, and work backward from there. You can see which apps have access by visiting the page below.

https://accounts.google.com/b/0/IssuedAuthSubTokens

If you're not comfortable clicking the link, you'll want to look for the "Authorized Access" section of your Google Account page. You can get there by:

* Log in to your Gmail

* Click your name in the upper right

* Click "Account" in the pop-up

* Click "Security" in the list on the left

* Click "Edit" next to "Authorizing applications and sites"