Update: 3/28/11 07:52 PM Thanks to Rusty Hodge, who successfully figured out that it was Awayfind that was appearing to be the host from China. It opened an IMAP connection and never closed it, and thus wasn’t affected by my change of password. Problem solved!

About an hour ago, a friend saw a warning that his Gmail account may have had unauthorized access. Clicking “Details” at bottom of his Gmail screen showed access from China. We changed his password and a few minutes later, a new access from a China IP showed up on his details screen.

(Here’s a picture of where to find the “Details” link at the bottom of your Gmail screen.)

Out of curiosity, I checked my own Gmail account and clicked the details button at the bottom. It showed access from China, and access from other IP addresses I didn’t recognize. I changed the password, enabled Google 2-factor authentication, and then checked again. More unauthorized access after I changed my password and enabled the 2-factor authentication.

I changed my password to the 2-factor authentication at about 5:31 pm. You’ll notice that access from IP 67.223.xxx.xx stopped at around that point. I’m pretty sure that that is my Blackberry Internet Service polling my Gmail account to deliver my email(*). It stopped when I changed my password. But the China IP address didn’t. It was accessing my account via IMAP three minutes ago—even with a newly secure, 2-factor authentication in place.

During the time I’ve typed this, I’ve continued to see logins from China. No one but me should have been able to log in to Google after I changed my password and switched to the 2-factor authentication.

What the heck is going on?

(*) I think it’s Blackberry because as soon as I changed my Blackberry internet service password, the 67.223 addresses started showing up again.

My Gmail account hacked from China

read time: 1 min