Home > Google, IBM > FAIL: 20K+ Gmail, Yahoo, AOL Accounts hacked? Perfect for iNotes

FAIL: 20K+ Gmail, Yahoo, AOL Accounts hacked? Perfect for iNotes

by Bilal Jaffery on October 6, 2009 · Comments

in Google,IBM

Are you kidding me? This cannot be real. How can you rely on the cloud when the whole notion of security is a joke. I wonder how the heck will users be able to get their accounts back. I know customer service for Gmail is pretty non-existent. You pray that your account never gets disabled.Otherwise, you might need to put up a high profile public blog post asking for help – feasible for a business account. I think not.

Earlier this year, Twitter’s CEO’s personal files were leaked out due to someone being able to hack into his Google Apps account and having access to everything, from his personal emails to corporate files. And now this?

Mashable reported earlier today:

It was revealed that 10,000+ Hotmail accounts were compromised and all of the usernames and passwords of these accounts were posted online. It was a major security and scam issue, but it was thought to only affect Hotmail users. Unfortunately, Hotmail was only the beginning. Google has now confirmed that thousands of Gmail accounts were compromised by an “industry-wide phishing scheme.” According to the BBC, the login data of over 30,000 Hotmail, Gmail, Yahoo, AOL, Comcast, and Earthlink accounts have been posted online.

Back to my point, if you want to rely on cloud for confidential data, make sure that you are relying on a service that can provide you with a peace of mind around security, price and reliability. Make sure that you have a IT policy in place to ensure that you are protected from user stupidity as much possible. Have a contingency plan, maybe an in-house solution like Lotus Foundations for SMB needs.

We cover both areas. Cloud and In-House.

This presents a great opportunity for iNotes to highlight its current advantages and gain market share.

None the less, here’s to FAIL.

Update: 10/07/2009 – One of my family member just informed me that he just received an email from Google indicating that his Google account was compromised and they’ve updated his password. Mind you, this guy is a web developer, manages portals and is tech savvy enough to know if it is a fake phishing site or not. Ironically, he does’nt even use Gmail and it was his Google Adwords account. There’s more to the story here and this is a ultimate Google FAIL.

Thanks to my sponsor.

Protect communication with the best email security software.

Bookmark and Share

Tagged as: FAILBLOG, Google Fail, IBM, iNotes, lotuslive

  • Update: It appears that it might not even be just the phishing attack. I've update the post to reflect my family member's experience with his Google account. (Not gmail even).
  • Roger M
    I agree - in this day and age a service provider must account for user mistakes. Google should've been able to detect a phishing attack and unauthorized access from a unknown presumbly suspicious IP network.

    FAIL indeed.
  • John R Lewis
    I agree with Bilal's statement that Google isn't the only player in this game. It is good to highlight other options.

    To the nay sayers -- when Google launched its LeavingLotus campaign, many highlighted Notes problems -- and reasons to move from older versions etc. When most of the UI frustrations have been associated with older versions of Notes.

    In this case, the post IS just highlighting what Google is not - a 100% guaranteed stable service. The market perception surely tells us that Google is GOD.

    We can't be blind to this...Hotmail, Google or any other public service. Keep it UP!!

  • IdoNotes
    While that whole scenario sucks, I am not sure where LotusLive iNotes is any different being based around the same model of ASP mode email systems? It will be obvious soon of who has mail hosted on the LotusLive platform due to the DNS name presented on received mail. Won't it be open to the same types of attacks?

    The issue revolves around bad passwords, link clicking and other forms of attempts to get into accounts.

    I did a screencast today on registration, the UI and what to expect on LotusLive iNotes.
    http://www.IdoNotes.com/IdoNotes/IdoNotes.nsf/dx/IdoNotesEpisode67.htm
  • Thanks Chris.

    Scenerio does suck and my point for posting this was to make people realize that Google isn't the only choice and it certainly isn't the safest. Google is typically attributed for better than industry standard for web services.

    I wasn't surprised by Hotmail's attack but Google.

    I'm sure someone's gotta be able to figure out when over 20K of the accounts are being accessed within a short period of time from a similar IP range?

  • IdoNotes
    I was just reading into your comments like Mike did above. The hint was that this scenario would never have happened in the LotusLive offerings.

    "Back to my point, if you want to rely on cloud for confidential data, make sure that you are relying on a service that can provide you with a peace of mind around security, price and reliability."
  • Of course, so if you are going to make a cloud choice. Make a wise one. Google isn't the only player in the market anymore.

    You don't pick the dark alley in the worst neighborhood to park your car, and you certainly don't choose a service that is under attack constantly. Lately, Google hasn't been as stable as it claims to be.

    Specially when you are talking about enterprise accounts. Standards are higher in this segment.

  • Massad
    What can we do to protect our data on cloud networks like Google email than? Is there anything at all we can do?
  • 1) Don't rely on 'one cloud' for everything. That causes problems. IE. Twitter's account getting hacked.

    2) If you are conducting business over a free channel, it's time to start evaluating the value of the data and what happens when its lost.

    3)Google is notorious for not getting customer service, even from sales aspect. My experience with dealing with Google Youtube's corporate to give them a sale has been horrendous. So I can only wonder what happens when its your gmail account that has been comprimised.

    4) My advice: Setup a client on your desktop and synch email, so you have access to it at all times. Maybe even do POP3? to get it off their server ASAP? Thoughts.
  • Mike Lazar
    Hmmm...while I agree LotusLive is solid and I love what I've seen, this breach isn't a problem with the inherent security of Hotmail, Yahoo, or Google. This is ignorant people doing dumb things. The same phishing scam would compromise LotusLive, Microsoft Online, or any other account. You can't protect people from their own stupidity if they try hard enough to be dumb.
  • Ofcourse, that is number one reason for any security breach.

    But it comes down to relying on one account for everything. Maybe OpenID/Facebook Connect aren't the solution to everything? Maybe we should go back to what we did best, seperate your business account away from personal?

    The more popular the service is, the more prone it will be to hack attempts. Gmail is a consumer service first and then a business solution. If you are going to rely on a consumer-facing site for business tractions, good luck.

    Same notion as Mac vs PC debate. Yes, the architecture is much stronger but give it few more years to gain serious market share; viruses, backdoors are already popping up for Mac OS, I wonder if they can continue with their current ad campaign.

    Best advice would be to implement policies in place to not let user stupidity be the reason for your security breach. Maybe, also invest in a in-house backup for data and don't let it all be in the cloud.

    Not until it has proven to be a reliable solution. Atleast iNotes is designed around security and reliability. The backend is based on Outlblaze which has been providing "cloud" before it became a buzz word.
  • So you claim this news is perfect for iNotes, but then admit that this is a case of users getting phished, not some direct breach of Google/Hotmail/etc.

    How, exactly, is this anything other than a bunch of people getting fooled into giving away one or more sets of login credentials? How is iNotes immune if it's accessible over the internet? How is any service that's not locked inside a firewall immune?

    Also, I seem to recall that the Twitter CEO's problem was using the same password for multiple services. This is exactly the OPPOSITE of the problem you seem to be trying to tie to OpenID/Facebook Connect: once the WEAKEST service is compromised, every other service where the person used the same name and password is as good as got. The idea with centralized authentication is having one well-protected and user-recognized place to enter credentials instead of having dozens.

    The technology surrounding most of these authentication and login systems is strong (strong encryption from browser to server, expert design of internal controls to protect user data, etc.). The human is the weak link (phishing, weak password choice, credential reuse, etc.).
  • It's perfect for us because its potential for growth. Easy as that. Just like Windows problems allowed Apple to take market share. Not because Apple is 100% safe, because it had potential for growth.

    Google should've been proactive about detecting a hack pattern. They didn't because they have a bigger plate to focus on. Consumer/Enterprise etc.

    I still haven't had to deal with trojans or viruses on my PC computer in over a decade or more. But does that help with the Apple's marketing? Ofcourse.

    Not defending Microsoft but same point.

    (http://www.tgdaily.com/content/view/43267/108/) He was using Gmail.

  • From the original BBC article it sounds to me like Google WAS proactive, once they discovered the phished credentials:

    http://news.bbc.co.uk/2/hi/technology/8292928.stm

    Is your contention that Google's security is undermined by its success? Do you believe that minority players who are less juicy targets are safe from phishing? If so, how do you support that belief in the face of spear phishing attacks?

    Scammers target individual companies these days. There is no security through obscurity.

    I don't see how the original blog post is justified unless iNotes or LotusLive have somehow eliminated phishing altogether. If they have, then the world is an unexpectedly better place today.

    Assuming they haven't (and I'd love to be wrong), I'm left with the impression that the point of the post was that the story will add to a negative PERCEPTION of the incumbent providers that could be exploited by ignoring the fact that human weakness was at fault. While this may be defensible from a "we want to make sales" point of view, it's not what I'd call objective truth.

    I'm not here to promote Google or denigrate IBM. I'm just arguing that the tone and content of this post doesn't seem to me to jive with the harsh realities of security in a wired world.

    http://arstechnica.com/old/content/2006/07/7237.ars

    Bad people want your data, pure and simple.
  • Great points. However, the intent of the post was to highlight choices in this space, specially from enterprise perspective. I do surely hope that business accounts have policies in place to detect unauthorized access.

    I was impressed with eBay recently due to the fact that they were able to detect 'my normal network' vs 'what I logged in' from when I about to post something for sale.

    I understand the issues with 'cloud'. However, it is unfair to just remain quiet about a significant hack attempt within the Google cloud. 20K is a public figure, not the actual amount.

    Mashable highlighted it. I only referenced their post.
  • Mike Lazar
    I can't agree with that, and judging by the other responses here, I think people are seeing it similarly to me. I would say Google's anti-phishing is on par with anyone's. Again, this was dumb users. As for your plan, I don't see how that's a good play, or relevant. Google is not a dominant player here, on the lines of Microsoft with the desktop. Microsoft is the target because of their 90% market share and hundreds of millions of PAYING customers. GAPE is nowhere near those figures.

    Are you saying that LotusLive is the choice to make because you have minimal market share now and aren't planning on doing better? If it took off, you'd become the target, and the more users, the more dumb people, and the greater chance that something like this phishing scam could hit that many users. Out of the millions of GMail, Yahoo, & Hotmail accounts, 20k got compromised. That doesn't seem too bad too me when you figure it had EVERYTHING to do with the people, and virtually NOTHING to do with the provider. Again, I think you make some good points on being safe and what to do. I don't agree with your analysis that the problem lies within these particular clouds. The problem lies within the habits of the users.
  • Mike - If you look at the post, I am mearly highlighting that its a perfect opportunity for someone to consider anything besides Google. I agree with your point that user is to be blamed but I'm sure this is something engineers will be taking back to the drawing board. Like the article mentioned, Google is looking into it, so my assumption is there is data that can be analyzed to detect 'hits'.

    My fear lies with the fact that you shouldn't mix consumer with enterprise requirements. Like you mentioned, 'habits of the user' is the main problem here.

    The way I behave with my personal gmail account is definitely not the way I deal with my IBM account.

    The point was to highlight that there IS a choice and a choice worth considering (according to the industry analyst reviews).

    This post is attracting considerable traffic and it was written to spark a discussion. This is a 2 way discussion. Certainly not Bilal's monologue.

    Thanks again for your insight. Appreciated.


  • Mike Lazar
    OK...but your original point was hinting that these other solutions are not not secure because of these breaches. The fact is, they may or may not be any more or less secure than LotusLive. In these cases, the people were the weak link. And LotusLive is looking to get people to move their data into the IBM cloud for many applications, just like the others. So in the perfect Lotus world, customers would have email, docs, CRM, etc., up in this cloud. You're saying to not rely on one account, but isn't that the goal here of LotusLive? Anyway, all I was saying is that your post is somewhat misleading. The issue you reference here is all about dumb users. Sure, put policies in place, but people will do amazingly stupid things that render your best policies moot. As long as people are exchanging data, this is a risk. LotusLive is not any better or any worse at mitigating stupidity. It is possibly better for reliability, scalability, functionality, etc...but in the case you cited, it would not have fared any better than Google, Hotmail, or Yahoo.
  • The post talked about 20K Google accounts breached, which was reported earlier. The problem relies with using a service that is being heavily targetted.

    There are measures in place in our solution which emphasize 'security'. I can't go into specifics but enough work has been done to avoid situations like phishing, security policies are more aligned with in-house data storages etc.

    No solution will ever be 100% safe. However, as a consumer, if you are paying for a service, you do need to consider these factors.

    There is nothing misleading here. ;)If Google can spin their LeavingLotus activity, heck, I know we can do a better job to highlight our success and strong points.

    IBM is known for our strong security architecture. Heck, maybe we have been focused on that aspect alone for little *too* long. I can assure you that we just didn't load up a Webmail server and launched the service.

    Great points though and that was the point of whole post.

blog comments powered by Disqus

Previous post:

Next post:


This blog does not represent IBM opinion.