About a month ago I received an email from Blizzard Entertainment stating that a new World of Warcraft account had been started using my personal Gmail address. Someone with the user name of "Zhang" was hoping to do a little night elf adventuring using my data. I got on the phone with Blizzard right away, and they cancelled the account faster than you can say Ogrimmar.
"Oh yeah," the Blizzard rep added, "you might want to change your Gmail password." I realised at that point that I'd been hacked, just like high-ranking US officials were in June and just now, as Iranian citizens have been.
There was a moment of horror as I realised what kind of private data someone with access to my account could find about me.
For many of us, a Gmail password is not just a Gmail password. It's a passport to our Google Docs account, our AdWords campaigns, our personal Google calendars, Google Docs, and more. That's not to mention access to Gmail itself, through which someone can find tax returns, private email conversations, and other data to pull off identity or credit card theft. If you are using Google business apps, you risk damage to your company if staff members' accounts are insecure.
Luckily, Google has a vested interest in keeping your information as secure as possible. Follow Google's own Security Checklist for concrete steps to put your Google Account on lockdown, and pay special attention to the advice below.
1. Check for third-party and updated browser extensions
Checking your browser for plug-ins, extensions, and applications that may have access to your Google account is a step that merits special attention, particularly because Google doesn't tell you how to do this.
Internet Explorer - this support page on Internet Explorer tells you how to disable browser helper objects in IE. If you want to disable third party extensions entirely, click Tools, Internet Options, Advanced, and uncheck the "Enable third party browser extensions" box under "Browsing". You will need to restart the browser for the setting to take effect.
Firefox - This page automatically detects your Firefox plugins and ensures that they are up to date.
Google Chrome Google has asked Chrome extension developers to include automatic updates with their extensions to make Google Chrome more secure.
2. Change your password often
Most of us ignore this simple step, not just for our Google Accounts, but all accounts that we use. While there is no set rule to changing your passwords, I've aimed for about once a month since my Zhang attack.
3. Set up two-step verification
This is the most important step in Google's Security Checklist. Two-step verification adds an extra layer of security to your Google account by requiring a special code to be entered on trusted computers once every 30 days, and any time you are accessing the account from a non-trusted computer. But this doesn't happen by default; you have to set it up with Google first.
I'll add that printing your backup verification codes is more secure than saving them to a text file. If you do choose to save them to a text file, don't name it "Backup Google Codes" or something similar.
While signing up for two-step verification with Google is self-explanatory, this video from Google helps it make a lot more sense.
4. Require Google Accounts used for business to be secure
If you run a small business, ask all of your employees and contractors to run through the Google Security Checklist for their Google accounts. If you share docs or other applications with clients, create a special outward-facing Gmail address that you can share with other Gmail users who may potentially be insecure themselves.
If you have a good ongoing working relationship with a client with Google accounts, send them this article and ask them to run through Google's suggested steps.
If you are concerned about security in your industry, have contractors and employees sign a contract that requires them to ensure that their Google Accounts are secure and use two-step verification.
The bottom line is that keeping your Google Account secure requires a bit of extra work. Considering that our Google accounts are digital keychains to our online lives, though, it's definitely time well spent.