Gmail security issue

[Polar Bear]

All three of my gmail accounts have decided that I need to change the passwords due to a security issue.

Anybody else had this problem?   Has google been attacked?

[Gus]

friend of mine just got  the same message.
mine looks fine.

[frankly frankie]

Google required our account passwords to be strenghened but that was 3 or 4 months ago.  Maybe its a staggered roll-out.

[Quisling]

I was required to log back into my gmail account this morning and it then gave me a load of new Ts and Cs to agree to.

[fhills]

May not be a link, but: My chromebook a couple of days or so decided that I was putting my password to enter the machine in wrongly - this is the same as the google acccount gmail account/address pasword.

I very definitely was not putting it in wrong.

I had no choice but to go to the recovery process, tapping in a code sent to another email address.

For reasons best known to google this wipes the entire internal "drive" though it gives you everything back that was stored in your google drive. As a security measure that makes no sense to me.

I lost everything in the download drive - mostly material to read -lesson learned - I now pretty much immediately copy everything downloaded to google drive and there is clearly no reason at all to pay google for a chromebook with a bigger internal drive.

Cos they reserve the right to trash it.

I don't know if there is a link with your issue but I know that mine is not an isolated example.

[Greenbank]

It's probably linked (given the denials) to Cloudflare (a caching and DDOS-mitigation service) fucking up in a very big way.

https://news.ycombinator.com/item?id=13718752

Security details (login tokens, SSL certificate details, PII, etc) for various sites (fitbit and Uber to name a couple of major ones) have been accidentally appended to other requests and effectively cached all over the place (especially search engines such as Google, Bing, etc). The scary thing about them being cached by search engines is that it's trivial to search for them.

From the p0 link (https://bugs.chromium.org/p/project-zero/issues/detail?id=1139):-

We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

This is going to spoil a lot of people's days (and weekends).

[Basil]

Yes.  My gmail account asked me to log back in yesterday.  I haven't bothered yet.

[Asterix, the former Gaul.]

I had to re log into Google yesterday.
 
Now I learn that Cloudflare provide security for IS websites!

Extraordinary as it might seem for a San Francisco based tech outfit to do this, their rationale is that censorship is not their role.

Nevertheless, it must make them an object of interest to those whose attempts to disrupt IS they are thwarting.  That must include some very capable cyber experts.

[Dibdib]

As far as I'm aware, the Google re-authentication bug is a separate and non-security-related issue to the Cloudflare CDN leak - and the Cloudflare leak is much less of a big deal than it seems on the surface.

That said, I'd strongly recommend implementing two factor authentication on any web services that offer it, and especially ones used for important stuff like gmail.

https://www.google.com/landing/2step/

[Asterix, the former Gaul.]

I'd agree that Cloudflare is not a huge deal in itself.  For me the interesting issue is that technology supply is apolitical and essentially borderless.  An unusual commodity.

[Wobbly John]

This, only today.

Yes.  My gmail account asked me to log back in yesterday.  I haven't bothered yet.

[barakta]

My Google account on my phone asked me to relog in this morning which I have done.