Can confirm this happened to me this afternoon on my android. Went into a full panic mode. I refused to type passwords since I was worried it might have been another app imitating Google and I had no recollection of any action that would have required me to sign in again. I made sure that my password was correct on my laptop browser to ensure that I was not fallen for a account compromise. Eventually restarted the phone, ran lookout security app and then typed it on smartphone.
> I refused to type passwords since I was worried it might have been another app imitating Google and I had no recollection of any action that would have required me to sign in again
Same for me! So follow-up question, how do we know if an android app is the real deal? I opened the app switcher and it certainly said "Google Play Services" on top of the window asking for my password, and had the correct logo, but could other app present itself in the same way?
If you long press on the notification, a little info icon pops up and tapping that will take you to the App details page. That's an easy way to verify the package name and version. If it is a sketchy app and not Google Play Services, kill it with fire! (FWIW it was Google Play Services for me)
I had the same issue. First I wanted to check whether the password I was using was still valid. So I verified/signed-in on another machine in an incognito mode. Once I had verified that the password was correct and still working. I then restarted android. After scanning using Lookout (honestly not really sure how good they are.). Rather than going through the "Google Play Services" notifications, I opened GMail app and checked if the past emails could be opened, after confirming that it was a legitimate app. I intentionally entered a completely incorrect password twice assuming that if it went away it was a really well crafted phishing attempt. Eventually I entered the password.
> I intentionally entered a completely incorrect password twice assuming that if it went away it was a really well crafted phishing attempt.
That's a clever trick, I'll remember it for next time something similar happens.
I had the same paranoia as several other people in this thread (don't enter password if you're prompted unexpected or without clear reason). I had the fortune only a "trash" gmail account got locked out, not my main one. So I verified on another machine, password was unchanged, checked if I really hadn't registered any other important accounts with that email, and just gave in after an hour or so, to make the notification go away.
Guess what happened to me on my iPhone today in the morning when I put it out of the airplane mode. Same thing I didn't enter my password for the above mentioned reasons
Don't let the perfect be the enemy of good. Or in other words, I try to adjust my opsec/persec to a realistic threat model, not to my worst dystopian nightmares.
This is not about dystopian nightmares, this is about an OS where it's exceptional to EVER get an update, let alone get it in time.
If you go out to a shop and buy 100 Android phones, at least 99 will be running outdated OS versions with known security issues and no updates available.
But why aren't these Android phones getting hacked left and right, everywhere? Any idea?
Where I am (the Netherlands), Android is way more popular than iOS--I'm not attaching value judgement to popularity or otherwise, nor am I particularly doubtful of your claim that the average (cheap) Android phone is running an outdated version.
But if that's the case then what is going on?
Are they not juicy targets for hackers? (tons of personal information, botnet possibilities, seems valuable to me)
Or are they in fact being hacked quietly and we're not hearing much about it? Is everyone's cheap phone already part of a botnet and nobody realizes?
Is it perhaps that the exploits require physical proximity that hackers don't deem worth the risk?
Looking at active Android clients your claim might be correct (although I assume it is not 99%), but if he actually went out and bought a new "premium" phone which I assume most here would do it is most likely updated.
I can't say if it's much better, but iOS devices does have some security features most Android devices don't have :
- hardware Secure Enclave (as time of writing, only Samsung devices and latest Google Nexus also have a similar hardware, as far as I know)
- strong sandboxing (again, only Samsung devices with Knox can really compare)
- restrictions on which apps you can get, that filters on malicious apps (ex: fake gmail app). It is void if you use jailbroken iOS or allow sideloading on Android.
- security updates are both more frequent (except Google devices, all Android manufacturers always lag behind for updates), and available to older devices (varies from manufacturer to manufacturer, but it's generally way less than Apple)
Of course, you need to factor in the delay to respond to security flaws (I don't have that kind of data), and other factors too, as well as decide if iOS suits you. That's for you to decide.
Same, got notification about both my Google accounts and was terrified it was some new phishing trick. Reading about Cloudbleed did not help matters either.
At least I got extra motivated to secure up all my accounts, so there is that.
shit, you just opened my eyes a bit. I woke up, saw 2 notifications about logging in again (got 2 accounts registered on my phone), and just typed the passwords in without second thought. Never occured to me that it could be a fishing attempt
Happened to me an hour or so ago. Notification on phone suggesting I log in again. I ignored it like I ignore everything that doesn't seem pressing. Then hangouts refused to send a message, which made me think the login suggestion was legitimate. Must say, like you, I probably ought to have scrutinised it a bit more..
Turn on 2-stage authentication and use Last Pass or a similar password manager.
I can't really fathom how someone would have gained access to my account with those steps in place (and honestly if they did, I wouldn't even be mad because it's so impressive)... so I immediately assumed that Google was having a log-in problem.
We're still actively working to resolve issues with Identity/Authentication. Future updates will follow when there is significant progress to report.
To summarize; some long-lived OAuth tokens have inadvertently been invalidated.
This may affect the following Cloud services and will manifest as authentication errors:
Cloud APIs using OAuth tokens, and related services that use them
gcloud SDK
Cloud Storage gsutil
Cloud Dataflow
Note: not all customers are affected by this.
OAuth tokens may be recreated by running the following commands:
It's odd that the status pasted in the parent has disappeared from https://status.cloud.google.com/ , as the page seems to be designed to keep event history - but it's not in the history. I can still find it in Google's own cache, though - in the snapshot of the page as it appeared on Feb 24, 2017 11:19:38 GMT.
Actually ended up wiping my phone because this coincided with a weird set of text attachments I got from someone who didn't knowingly send them. At that point I wasn't sure that my phone wasn't being keylogged, so I wiped to be on the safe side.
OT: they mention that they've "gotten reports about some users being signed out of their accounts unexpectedly". I'm wondering how they get any such reports since it's almost virtually impossible to contact anyone at Google.
It took some time. I was logged out yesterday somewhere between 22 and 23h CET, went on Twitter to check if more people had the same problem (yes) and if anyone knew what was up (nothing), the tweet from Google confirming that something happened and it was not a security incident was after 6AM the next day.
We noticed this affecting tens of thousands of users on Zapier last night, causing us to wonder if we'd shipped a critical bug. Zaps using Google apps are still paused[0] while we wait it out.
On some versions of android if you long press on the popup it will show you which app it's from. This obviously doesn't work for not-android and older versions, though.
On Mac it is so easy to steal a password. In Javascript: var gmailPw=prompt("Facetime requires your password to login"); Macos asks it every week/month for one reason or another, people are conditioned.
I had this issue too. I'm already on two-factor with Authenticator, so it wasn't a big deal. Since nothing had changed with my account, and the device history looked proper, I assumed it was a token expiration deal. Which is what it turns out to be. Good to know that was the problem.
The nicest thing about this affair is that Google Play Services kept popping out every few seconds asking me to enter the password while I was driving (using Waze).
Is it that whatever the issue that caused all this kept happening again and again every few seconds, or is it that once Google Play Services determines you have to login back, it intentionally nags you making your mobile hard to use?
No surprise that I've only heard about this by reading it on HN, despite the fact that I had this problem yesterday. I consider it an operational failure when customers are the first ones to identify issues, double fail when they are not proactively made aware of issues that WILL affect them.
Like others, I also had a moment of extreme panic where I thought something had been compromised, as it also seems to have coincided with an issue where Google Voice SMSes (2FA) were not going through.
Happened to my work account and my personal. Got a scary notification on my phone telling that "Something changed on my phone and I need to login again"
Imagine you walked into a group of people, talking about one thing.
You started talking about something completely random and different.
They want to continue their conversation, you keep interjecting with questions about your random thing.
If they could, they'd probably turn you off so you couldn't talk, or go to another place to talk about it.
I would imagine that was because the comments are intended for discussion about that particular issue, not for random users to jump in with wild conjecture on its impacts. Honestly not that strange.
he was nice enough to answer the off-topic question, and the person who asked decided not to believe him and continued to take the discussion further off topic. The only good way to handle that sort of thing is to lock the thread.
That would have been the best outcome. As it is, I'm left with concerns. Maybe it is related, but he's been instructed to not comment. Maybe it's a National Security Letter. Or whatever.
And yes, maybe he was just stressed out, and didn't want to be pestered with conspiracy theory ;)
Third party sites where the Google account was used for authorization, could have transmittted data through Cloudflare. (Think "Log in with Google" button on millions of sites.)
Not quite. CloudFlare is available to users of Google Cloud, but Google services don't use CloudFlare.
The only exception I could imagine would be some service that was brought in as part of an acquisition but has not yet been migrated to Google's internal platform. Obviously not applicable to products like Gmail or other core G Suite apps.
Title is misleading - I wouldn't say Gmail. It's disinformation. It's generic Google Account issue. I got logged out from my Android device suddenly. Logging in a few hours later worked out just well.
Happened to me too, pain to log back in on google play (not allowed to paste password in)
It initially gave me a message that something had changed and I needed to log in again, I can't remember if that was on outlook (yes, I use outlook to get my gmail) or on google play.
This happened to me too. And having 2FA enabled makes it a pain when you are logged out of _all_ your devices.
I checked my usage history but could not find anything.
And this article really does not explain why.
Happened on my phone and my Mac. I thought it was odd but wrote it off to a developer having programmed a computer to be stupid somewhere. Turns out I was right.
Incidentally, recovering a google account password from a phone, when you have access to said phone but haven't given them the phone number, doesn't work. I kept being told that google will send a token to the phone, and got a dialog saying 'do you want to log in?', i pressed yes, and nothing good happened.
Fortunately it was a test phone with a throwaway google account - otherwise i'd have known the password.
I wonder whether this is why every Google router (OnHub, Wifi) on Earth shut down about 2PM PST yesterday and requires a factory reset to get running again.
I was booted off YouTube streaming on my AppleTV. Then my main account disappeared from iOS GMail app, even though a secondary GMail account was still there.
Was afraid my accoutn was hacked. My GMail password is unique and quite long compared to my other pw so I doubt someone could find it.
I added the account again on the iOS GMail app and then signed in YouTube and it was back to normal... hmm.
This happened to my Android phone yesterday while I happened to be going around updating my passwords all over the Internet because the ones where I had used the same one were getting attacked left and right over the past few weeks. I never used that password for Google but I thought just maybe there was a forgotten access point to my account where I had. It sent me into quite a panic for 10 minutes or so. Needless to say, I'm now using a password manager for everything, even on sites where I wouldn't normally care if someone got in.
Happened on both my Macs roughly 12h ago, on two out of three accounts. Had 2FA configured for Google Authenticator, so took the time to refresh the OTP and bind it to 1Password instead.
Same here … I have a few Google accounts and on most devices, I was logged out (and I use the same Google account usually more than once on a device, so today is going to be busy!).
This happened to me. Since I've had my Google account breached once (and my mother had an awful experience), I have 2FA enabled... but the text messages weren't arriving (I guess Google was swamped or something).
I fortunately had the ten backup codes.
I'm really happy to hear it wasn't another attack on my account. It also reminds me that Google can be unresponsive :( and how much I depend on them (both my Gmail and my Android were warning me)
Happened to all my email accounts I have on my Android phone. I thought this was a planned, intentional change by Google and so I logged in with 2FA...
When this happened to me on my mobile; I had to dig up the password from my password manager. Then it asked me to NFC/tap my physical security key (YubiKey). Then the screen disappeared and all was well.
I never seen that flow before with the security key usually it's the SMS/GAuthenticator.
Still haven't fixed my email clients on my Mac, lol.
On my wife's iPhone, it asked her to enter her password again and the weird thing is that it now shows as a new device, called "iPhone" instead of "Cristina's iPhone" as it was before. A few hours later it happened on my Galaxy S7 as well but re-entering passwords fixed it.
I don't believe I'll be signing in again on my Android tablet. I've installed the apps I want, and being signed in is an extra risk, so I'll just curse Google every day for making me work around their begging me to sign in again, instead.
I had this hit me today. It happened right after I had disconnected from a VPN connection and connected directly to the internet. I assumed it was caused by a sudden change in "location". I guess not. I use 2FA, so I'm assuming I'll be ok. Maybe I should change my password.
Also had this happen to me and had my parents call me asking about it. A few warning bells did go off in my head, but as far as I could tell it all looked legit. Kind of disturbed by the lack of communication by Google though, since it seems to be affecting so many people.
I had this happen on two of my devices: Android Phone and laptop (macbook).
Seeing as it happened on two different devices, I have little reason to believe it's some sort of Android Malware. Attempting to login with my old password on incognito is a success.
Compromise or not, I recommend changing passwords.
I first thought that this was because I hadn't yet accepted the new-ish ToS after they decided to cross-reference history for ads a few months ago... signing back in popped up another 'agree to ToS' as part of the process.
Woke up to this message on both my phone and the wife's. Problem was, the correct password did not work in either case, so had to recover using a text message. This suggests something more serious.
Had this happen to me on my Android. Real pain in the neck since I have 2FA and I use an offline password manager that I had to re-sync to get the password over to mobile.
This happened to me. Thought I was either being fired & locked out of my account, or that I had fallen for a phishing scam. I don't know which one would be more embarrassing.
Yeah, same here. I was trying to figure out if I had done something to trigger it or, worse yet, if I'd been "hacked" (or someone got close and Google noticed and killed all my sessions).
According to Tavis Ormandy this had nothing to do with the Cloudflare data leak, but I'm not so sure about that. It may not be directly related but could be indirectly related to what Google did about the Cloudflare issue. It's just too much of a coincidence.
If there's anything that I've learned over the years it's that you can have two seemingly related outages that are in fact completely unconnected to each other.
Doesn't seem improbable that a Google employee somewhere might have chosen to invalidate a bunch of tokens based on the cloudflare issue. There are 3rd party sites that accept Google account auth. Also not that big a jump that it wouldn't have been communicated well. Google doesn't always follow up with some kind of "what actually happened" postmortem either.
Happened on mine too. In Chrome I had to re-auth with 2FA, in iOS I just had to pick my gmail account from the account list without even reentering the password. Very strange.
Glad my Gmail account is no longer my primary email. Haven't seen issues with it on desktop, but my Windows phone is repeatedly spamming a "your Google account information is out-of-date" message.
Nothing in the Google Account panel for recently security changes though.
They admit they do not have enough information to determine the cause, yet they suggest there is little security risk. They can either not know or not know, but not both at the same time.
"They admit they do not have enough information to determine the cause"
No, they didn't.
It did not say "we have no idea, but it's probably not security related".
It said "we are still investigating, but it's probably not security related".
Those are very different statements.
The first, yeah, reasonable complaint.
The second could mean a lot of things. Usually, in these situations, people want to be able to put numbers on things, etc.
So it could reasonably mean "A something like "a bunch of machines are falling over in a datacenter with out of memory, we've determined why, it was an internal bug, fixed it, but are still gathering data about how much was affected, etc, before we say more"
Or whatever. IE saying "we are investigating" doesn't necessarily mean they are investigating the root cause, they could be investigating how long it will take to fix it, ....
