Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

‹ Back

A colleague recently discovered that his personal Gmail account was compromised. Like many people, he had not cleaned out his inbox or outbox for years and used his Gmail for sending and receiving sensitive information. Soon after, he noticed login attempts on other online accounts as the attacker explored the trove of info just sitting in his account.

He changed his Gmail password and enabled two-factor authentication, but the attacker still kept access and continued searching his email for valuable data, opening, sending, and deleting emails in real time. Confused and worried, he reached out for help.

Initially, we suspected the PC he used to access his email might be compromised, which could explain how the attacker was able to bypass password changes and two-factor authentication (2FA). When we learned he accessed both work email and Gmail through Outlook, it became clear what happened. We advised him to check his main Microsoft account linked to his office apps including Outlook. When he tried logging in, it failed because the attacker had already changed the password and set up their own 2FA. Unfortunately, we had to inform him that the intruder had gained access to his work email as well as his personal Gmail.

Having retained cached credentials or a persistent connection, the Outlook client can maintain email access even after a password change. It took another day to regain control of his Microsoft credentials, force a sign-out from all devices, and resecure his email, but by then, both personal and work emails had likely been extensively mined for sensitive information.

I could hear the fear in his voice as he realized the volume and sensitivity of the emails and document attachments that may have been accessed. We had to advise him that after such an exposure, there is little to do except reset all his other account passwords, enable two-factor authentication wherever possible, and monitor the dark web for leaks. Good security cannot undo what happened, so the lesson learned is to improve practices going forward.

We created GetSafeDocs.com as an alternative to insecure email. GetSafeDocs provides encrypted transmission, storage, and tracking of your sensitive information. Just as important, it gives you full control over how long your material remains accessible using custom expiration settings. You can see exactly who accessed your documents and when, and you have the power to delete or update your files even after hitting send. Avoid sending or receiving sensitive information using insecure email; this seems obvious but is often overlooked until it is too late.