The Real Truth About GMail Security.
How Safe Is Your Email?
Short excerpt: Below are three examples why you should not use GMail for your personal or business sensitive emails. Apart from Google checking the content to place relevant ads, there might be more people reading your confidential emails. What are the real costs if the information most valuable to you fall into the wrong hands?
Do you remember the story a bank sued Google to get the account information from a Gmail user the bank sent sensitive client information to.
A Wyoming bank sent an e-mail containing sensitive customer data to the wrong Gmail account, and now wants Google to reveal the identity of the account holder who received the data….
…The employee, however, inadvertently sent the e-mail to the wrong Gmail address. Additionally, the employee had attached a sensitive file to the e-mail that should not have been sent at all.
At the end, the two companies settled the case out of court, Google shut down the account, and the bank was happy. Lesson learned: Be careful using Gmail for your personal or business sensitive email! You don’t want to have your Gmail login and password information compromised by anybody with malicious intend.
I would state it even more aggressively: Do not use Gmail for ANY personal or business email! Reason being, your personal email is not secure. Apart from the fact Google is reading all of your email to determine the right ads to show, your email could end up in somebody else’s inbox without your knowledge. With the city of LA implementing Google Mail for it’s 30.000 employees, there is enough reason to be concerned about email security.
Over the years I have seen a number of instances where I received mail that was not meant for me. However, the last couple of weeks I’ve seen an influx of email delivered in my inbox, while meant for other people.
All emails I receive are replies to emails send by somebody who has chosen a Gmail email address that is similar to mine. I have had my Gmail account since the launch of the service by Google. I’ve been blessed (-or cursed) with a short, common first name email address. The emails that I receive are all variants of mine, using numbers proposed by the system when you sign up. If yourname@gmail.com is already taken, the system might come up with yourname1745@gmail.com, based on your address or your birth year.
Background
According to the Gmail help documents, there are a number of cases why email can get delivered in your inbox, while it should not have been. These include:
-
- Your address is similar but has more or fewer dots (.) or different capitalization. Sometimes you may receive a message sent to an address that looks like yours but has a different number or arrangement of periods. While we know it might be unnerving if you think someone else’s mail is being routed to your account, don’t worry: both of these addresses are yours.
- Your address isn’t listed at all. If you don’t see your email address in the To: or Cc: fields of the header, the sender has probably mailed you a ‘blind carbon copy,’ or Bcc:. The Bcc: field isn’t displayed in the header of received messages. This means that you won’t see your email address at the top of any message you receive as a blind carbon copy.
- You’re receiving spam that’s not addressed to you. The message you received was probably the result of a common practice among spammers called ‘dictionary spamming.’ Dictionary spammers often use a software application to randomly guess email addresses based on words in the dictionary.
Although most cases in the Help Forum can be explained using the above use cases, I can only attest there are a number of use cases which are not as described in above snippet of the help section from Gmail.
A search for Gmail+”getting+someone+else’s” returns more than 150.000 results. however, the majority of the talk is about the dot issue as described above here.
Receiving Someone Else’s Email
There are two sorts of email intended for somebody else that can be bad
- Sensitive email not meant for your eyes.
- Email that can impact your life negatively
I have a number of examples of both of these two. If I didn’t share these cases with the people involved, both the rightful recipient of the mail as my wife, I could have ended in some weird and not so pleasant situations.
Some of the snippets of the emails below are changed to protect the innocent or to hide sensitive information. I don’t think posting these snippets is wrong, as I’m trying to make a point here on why you should not use Gmail for any personal, let alone business sensitive email.
The Bankruptcy
The first case of wrongly delivered email is quite a sensitive one. I have tried not to get involved and not to open sensitive documents, but then again, I can’t help it that I open an email which is addressed to me!
7 days ago it all started when I received a couple of emails a day. The first one is immediately pointing at sensitive information which should not fall in the wrong hands:
Can I get the code to the door on the warehouse? I am trying to hook up with the appraiser. He called this morning. I will let you know what I get scheduled.
Two or three emails later, the emails are getting even more sensitive. Here are some excerpts from it:
I wanted to update you on some more things since that was sent.
I sent a check to [name removed] for a past due attorney fees for $ 14,000
You and I discussed this and since I am still using [name removed] through this period of business closeout etc. I thought it was appropriate since the bill continues to get larger….…I had to put $12,000 of my personal money into [company name] so that we could pay employees and payroll taxes and $2,700 of it went to pay [name removed] the company CPA for the 2008 tax return. I am working with him right now on a lot of things to get returns done for 2009 below are his charges for last year that are all paid in full. I want to pay for the 2009 returns so that I can get started on them because I will be busy later with other things. [name removed] and I feel that the returns will not costs this much because there is not as much accounting to do. I feel that about 70 % would be close to actual costs.
[company name] *$4,000* My son the other owner has no money nor does the company to put towards this as he will be filing bankruptcy also.
Heart breaking emails of people who are in financial trouble, on the edge of bankruptcy and trying to save what is left to save. This could have meant, closing the corporate email address account, and switching over to a free email provider. But with free, comes the risk of security.
I did not only receive the email exchanges between him and the lawyers, but much more. Among these:
- Login and password information of a brand new web store just launched.
- Personal correspondence between father and daughter, for which they used email
- Hotel reservation confirmation, containing personal information, address and credit card information
- Receipts for online shopping, with shipping address
- Online banking alert of change of email address
I already have received so many emails with sensitive information on this guy, that I could take on his identity probably pretty easy. As you can see, I might be receiving the online bank statements in my inbox soon, as this person just has changed his email account on his online bank.
More examples of confidential information: As mentioned above here, the login and password information for their brand new sports outlet webshop were sent to me through email. I could have taken control of the whole website and made some changes.
This, off course is not what I’m about to do. I rather send the person an email and warn him about the situation. After that, I will delete all the confidential information from my inbox.
The Cheating Husband
What if you were happily married, all is fine right? Then one day, emails start popping up in your inbox from a site called Ashley Madison. You pay no attention to these, as they probably are spam. Then one day, your wife is logging into your email inbox to check something for you while you are away. As the name Ashley Madison sounds like a women’s name, she cannot hold her curiosity and opens the email. From that moment on, your life will not be the same anymore…
Ashley Madison is not a normal person, but rather a dating site for married or attached people who want to hook up. That’s right, those people that want to start an affair or have a casual encounter with somebody else than their significant other.
Now try to explain why you are signed up for this dating site for married people, and why you receive email from attached older women, and why you have direct access to a guest account on the Ashley Madison dating site? What is your explanation on this?
I’m receiving all the correspondence of a certain individual who has signed up for Ashley Madison. It is supposed to be a 59 year old gentleman from Pennsylvania. I will not reveal any more personal data not to reveal his real identity.
Through the emails and updates I’m getting, I have direct access to his profile and mailbox on the dating site. I could have some fun, but again, I won’t.
Mafia Baseball bets
I’m reluctant to post about my third example of wrong email delivery. This third one is also the longest going on. I’m reluctant because I’m a big fan of mafia movies, and the emails I’m receiving have the smell of New York mafia family all over it. I simply don’t enjoy waking up with the head of a dead horse in my bed.
The email address for which I’m receiving the mail, does not even closely resemble mine. This is the strangest thing. I used to think somebody was playing a trick on me, especially as the mail were very mafia like. However, I dropped that idea the more email from other people I began to receive. I just need to remember, this is not Mafia Wars where I can buy my health back…
All emails for this Dennis G are about Baseball, and in particular about the New York Yankees. These guys have all gambling conversations over email, not knowing some small time punk in California is lending an ear to their betting strategies. Here is an excerpt:
I had 4 of the 6 teams going into sunday nite. $5 to win $220. i need the giants to win, and the yanks to win by more than 1 1/2 runs. you must know the results, cost me $220.00
sammy sosa just hit 12, most over 400 ft, 1 was 495 ft.,488,508,509, and he had the top 10 distance homers of the night,compared to anyone else. griffey was in the finals with him and hit 2, sosa hit 9 more. a guy won a $250,000. home because of sosa. this is on mlb network. free with my cable. pretty cool. i wonder if STEROIDS had anything to do with all this!!!!!!!!!!!!!!
it sure effected alot of aspects of sports.where do you take the titles away ,or not recognize them. maybe the guy should give back his home he won because sosa won the contest. and they complained about bonds.
How do you tell a Don you’ve been reading his personal email for months, without being put on a death list from one of the big New York Mafia Families?
Conclusion
Can you trust the security of Gmail? Would you risk identify theft just to safe a couple of dollars on a year subscription for private secure email? What is the truth about Gmail Security?
Just recently, the city of Los Angeles announced the adoption of the Google email system for 30,000 city employees.
The Los Angeles City Council voted unanimously today to outsource its e-mail system to Google Inc….. Because Los Angeles will be among the earliest adopters of the Google system, council members expressed concern that the city might be signing on before Google’s cloud system was fully proven.
Now that Government agencies and organizations are adopting Google mail applications, it should be more than fair to question the security of your personal information. Although the Google’s Cloud email offering is not the same as Gmail, I believe earlier problems with Google’s Cloud and Gmail security issues as described above or the Google Docs security breaches should be enough talking points for privacy watchdogs to start asking questions.
I would love to hear your thoughts or experience with security of Gmail. Please use the comments to let me know…
You (and many people on the internet) are confused about the dot issue. The document you quote says clearly that Gmail ignores the number and placement of dots in email addresses. firstinitial.lastname@gmail, firstinitiallastname@gmail, and f.irst.initia.llas.t.n.a.m.e@gmail all belong to the same person. If the dots are different but not the letters, you’re not getting anyone else’s mail.
Just to let you know that you’re not alone. My wife has the same issue. She has firstlast@gmail.com, but she’ll receives email for first.last@gmail.com. Must be some type of routing issue as her address is not actually in the header. She’s received an assortment of personal information, i.e. passwords, account logins, etc. I cannot caution people enough not to utilize Gmail for their business organizations. We’re not talking issues where someone input the incorrect email address. These are issues where the recipient email address is not the address of the Gmail mailbox the message arrived in. I don’t believe it’s due to her address being BCC’d. I think it’s purely due to Gmail not being consistent in how it routes mail — smells of a bug somewhere.
My 2 cents.
-matt
@Elisa,
I understand the dot issue.
However, this is another issue. As I describe, I receive email from different email addresses, which do not fall under a dot issue use case.
If I don’t get anyone else’s email, how would you explain the examples above?
@Matt,
I do see the peoples full email address in both the address bar and the headers of the email.
To me, it definitely smells like routing issues.
You are just confused period.
@Sam,
Thanks for telling me!
I don’t know how this proves gmail is any less secure than any other email (be it web mail or POP account). People can always type in email addresses incorrectly and send messages to the wrong person. I have this happen all the time to me. I get messages that were intended to slight variants of my email address. Has nothing to do with Gmail doing things poorly. Just means people keep giving out their addresses wrong or people keep hearing/reading them incorrectly.
Gmail is pretty safe as long as you turn on the https setting.
That being said, email is not a secure way to communicate unless you are using encryption. Don’t email something you’d never want anyone else to see. Doesn’t matter if you’re using Gmail or any other email system. They are not totally secure.
@Justin,
I don’t think these people have the wrong email address or have misspelled the email address. I can see the email address the email was sent to, which is not mine!
The person I get the email from first sends an email, all replies to that email are flowing into my Gmail inbox.
Apparently, the email is getting delivered in both the inboxes, as the person is also replying back.
This way I have received a thread of emails back and forth from the Bankruptcy person and his lawyer.
This is happening with emails where the people have the same first name as me, and their last name starts with the same first letter as my last name. This particular issue is NOT the dot issue as described above.
I think there’s a glitch in the google’s Gmail system. Thanks for informing us Dennis!
Going forward I will be more careful with my gmail usage
As you should Rohit,
If your sensitive information is ending up so easily in somebody else’s inbox, you don’t want to think what could happen.
The number one issue of Internet that it will always be here; privacy and security.
Once we are connected to Internet there is no more privacy – anybody can access our information – it’s a fact.
Orson Wells – 1984 – ??? did you read this book? from science fiction to today’s reality.
Thanks,
Dan Gabriel
http://www.twitter.com/gdan
Well said Dan.
The more reason why you should hold on to some of the traditional ways of communicating with people like lawyers, tax authorities or your loved ones.
I’m sorry but this blog is ridiculous. If people are sending email to the wrong address then that is their fault. Just like a telephone there is some sense of responsibility born by all involved to use it correctly. Google can’t do anything to ensure people use the service correctly nor should it be their fault if people don’t.
Something else you’re missing here is that Google didn’t suddenly reinvent the wheel. They’re using mostly the same email software that most companies not using Microsoft Exchange use. They’ve dressed it up and added their own features but the software they use basically works the same. Network Solutions, GoDaddy, Yahoo! (which uses Zimbra), etc all use this same basic open source software.
Gmail is not a perfect service but it is no more less secure than any other email provider. I’ll state that it is MORE secure than what most companies and individuals who are using POP email are using.
@Nate,
Thanks for your comment, but did you actually read the post completely?
I’m receiving email from an email address which is not mine. The email is getting delivered in two inboxes, because the person who it is addressed to is responding to these emails. It’s not that the people who are sending these emails made a mistake in the email address!
I was one of the first people who got a Gmail email address, and it’s a pretty good one. something like: name@gmail.com. Now that more people jump on the Gmail express, they sometimes choose name123@gmail.com. An I receive their email in my inbox.
I am shocked by this, i wonder if anyone at google has released a statement, etc. regarding the issue?
Not sure where I would have to send an inquiry. Google is not well known for being reachable.
Thanks for the info, Dennis. It sort of comes across as, “Run for the hills! Avoid the internet, and don’t let the satellites see you!” (I wonder if Gmail breaches are subject to the same aluminum foil barrier as other similar fears?)
I’m obviously being tongue-in-cheek here, and I think you have a great point. I use Gmail all the time, and I know a company who is using GoogleMail for their work accounts starting soon. So in order to avoid the conspiracy theory alarms, can you suggest some alternatives and briefly explain why they solve the problems you warn about above?
Thanks!
Hi Dennis,
It would be fascinating to see the header information from one of the offending e-mails (screen grab perhaps). My theory on what might be happening here:
Mr McSpammer decides to send an e-mail to a load of random addresses. Some of which he includes in the ‘to:’ field and others he includes in the ‘bcc’ field. So in the ‘to:’ field he puts ‘dennis123@gmail.com’ and everything else (including your correct address, dennis@gmail.com) goes in the ‘bcc:’ field. When you receive the e-mail you think its misdirected but actually you were sent the mail via the ‘bcc:’ field.
Just a thought… 🙂
James
Ps, FWIW I think your point (Gmail seems to be routing dennis123@gmail.com etc to dennis@gmail.com) was diluted a bit by your comments about banks sending info to the wrong address (equivalent to someone mis-dialing a phone) and the dots in the gmail address format.
I have exposed several instances where gmail went bonkers, you sign up to other people’ accounts by mistake,
http://www.ditii.com/2008/04/26/youtube-glitch-compromised-gmail-accounts-in-uae/
youtube had similar glitch
http://news.cnet.com/8301-10784_3-9875714-7.html
I also mysteriously lost an account to a Chinese spammer, I am still puzzled how he/she took my gmail account. Guess what, the US Federal government, the largest IT client in the world is signing up to google cloud, so good luck folks.
Receiving another persons mail, at the risk of sounding ignorant, are you sure it’s not just a spammer modifying the email headers?
@Dene,
I don’t think so.
I receive really private and personal email from this guy.
Sometimes I receive replies on his own emails he had sent to his attorney.
I even get bank alerts right now that his available balance threshold is under a certain amount:
Action: Available balance threshold met
Account Name: Key Express Checking
Account Number: XXXXXX7509
Threshold Amount: $100.00
Available Balance: $91.44
Date: 12/05/2009
Time: 06:59:31 ET
Action: Available balance threshold met
Account Name: Key Saver
Account Number: XXXXXX0292
Threshold Amount: $50.00
Available Balance: $36.63
Date: 12/05/2009
Time: 06:59:31 ET
This stuff should not end up in my inbox as our email addresses are different.
It’s very simple, Dennis. The guy wants to send mail, but he sees more than one account and he’s not sure which one the guy answers. So he sends it to name@google.com AND name123@google.com just to be sure. When the recipient replies, he stupidly replies to all, and you get the reply too. That way you’re in on the conversation.
As for why you don’t show up on the “To” line, I don’t know, but it’s probably because you got a blind copy.
This too happens all the time. I send mail all the time with one recipient shown, and many others receive blind copies. They never see their name as the recipient. I do it to preserve recipients’ privacy. Spammers also do it. They may also be messing with the other headers too, I don’t know. But I GET MAIL LIKE THIS ALL THE TIME, FROM ***SEVERAL*** E-MAIL PROVIDERS, AND NOT ONE OF THEM IS GOOGLE. OK?
As far as I can tell from your description, this has nothing to do with Google specifically. That’s the way ALL e-mail works.
Again, probably nothing described in this blog has anything to do with Google. I just found another likely (and simple) cause. Sometimes people forward their mail, and sometimes they forward it to the wrong address.
There’s an excellent example here, with proof: http://tiny.cc/misforwarded-e-mail . In the 12th reply, ETF has posted some headers from an e-mail message. Read the next message by Joshua, and then look at the headers.
Another hint: if your name is J. Smith, pick something else for your e-mail address. You don’t want mail for jsmith10937 getting mixed up with jsmith10936 and jsmith10938.
Sorry to post three messages in a row, but there’s really nothing right about this blog.
According to the article, a bank sent an e-mail to the wrong (Google Mail) address, and Google refused to release information about the account without a court order. And whoever wrote this blog concluded from this that you shouldn’t use Google Mail?!!! Sounds to me like Google did exactly the right thing.
In the case of the bank example, the mistake was clearly made by the bank clerk.
The fact that Google did not shut down the account immediately but requested a court order is indeed the good way to work on these kind of issues.
However, just imagine it was your email account that was shut down. You were just kicking it for a couple of weeks on a Caribbean island for holidays. And you come back, and you just lost all your email because the provider decided to settle out of court with a bank which was at fault for sending the information to your inbox!
And on your forwarding idea, why the hell would this guy forward all his personal, private and sometimes for his eyes only information to a complete stranger? That doesn’t make any sense what so ever…
@George the Foreman
i don’t think this is the case here.
The emails I’m getting are replies from his lawyer.
I don’t think the guy from myname1243@gmail.com will put in my email address as one of the senders email addresses.
And it’s not only replies from people he sent emails to.
In my last response I copied the auto-generated email from a bank alert.
With all the phishing going on, do you really think a bank would be that stupid to send bank alerts to all of the other possible emails?
I have never seen this happening with other email providers.
So if you get email intended for other people all the time, I’m surprised.
The link you posted doesn’t say what happened to the e-mail account, but with a little searching I did discover that Google was under court order to deactivate the account. One account says it was temporarily deactivated. I certainly don’t hold Google at fault for complying with a court order, and I don’t think either one of us knows whether the account holder lost any data, or whether it was even active.
Without seeing the e-mails and headers, I can’t say for sure why you are getting these e-mails, but you were given at least two possible reasons. I can assure you that getting e-mails that appear to be addressed to other people is not only permitted under e-mail protocol, but also a common occurrence. Perhaps you don’t get much spam or mail with blind copies.
I think what you need to do is show the messages with headers to someone who is knowledgeable about this, and then if you still think you have found something, contact Google Mail about it. That’s the only fair and proper thing to do.
I work with computers a lot, and I find a lot of problems. I always discuss problems before I write a bug report. If I didn’t do that, no one would pay any attention to what I wrote. Much of the time it turns out to be a user error or misunderstanding. If I do find a problem, it’s hardly ever exactly what I thought it was.
Let me see if I can post a screenshot of the headers of the emails here. I don’t want to expose too much data to jeopardize this guys account even more.
But since I’m receiving online faxes and voice mails right now, there is clearly something wrong with the delivery of his emails.
I did check up on the other part of your story, and it looks like you blew it. The account was reactivated as soon as the identity of the account holder was turned over, so the account holder lost nothing except for temporary use of his mail box while the matter was being argued in federal court. Google did the right thing and protected the user.
One more thing. The article was dated Sept. 26, 7 weeks ago. There was plenty of time to check the facts BEFORE writing about the incident.
Source: http://tiny.cc/this-news-report
a federal judge allowed Google to reactivate the account as soon as they turned over the identity of the account holder. So as far as I can tell, the account holder did not lose his e-mail. The article is date Sept. 29, so there was plenty of time to have checked before writing a blog.
True, but if you think I make the point you should not use GMail because Google has deactivated the email account, you are missing the point.
I argue that you should be careful using free email accounts, as your emails could be redirected to somebodies inbox based on eMail address similarities.
Apart from Google scanning your emails to match it with ads, more people might be reading your email. More than you might know!
That’s all I wanted to post here. You can do whatever with this information you like.
If you don’t like the message, I’m sorry, but that’s going to be your problem then.
My problem is that I’m getting more and more emails from this guy in my inbox. It’s cluttering my inbox, as I’m even getting read confirmations from the people he sends emails to.
But thank you for researching the case, and thank you for your comments.
The normal procedure when finding what you think is a security bug that might affect millions of people is to report it to the company that you think made the mistake. That’s called a bug report.
I looked it up for you. Google’s security page is here: http://www.google.com/corporate/security.html . That page explains what to do. You can send your e-mail to security@google.com . Don’t bother with a screen capture. Just copy and paste the damn headers, OK?
Now, since you already blogged about it without producing the evidence, I’d say you owe everyone a confirmed bug report. We don’t need the whole report. Just the number.
Sorry about the sarcasm, but this really needs attention, and Google is best equipped to handle it.
@George Foreman
I sent the header information and an explanation to the email address you stated above here on December 22nd.
I heard nothing back, I only got the standard auto response email that they have received my email.
Furthermore, I contacted the guy whose emails I was receiving. He has a new email address set up, and had to change all his auto delivery of emails again.
I was afraid they might not reply. I suspect that they have checked out that sort of complaint thoroughly, but they are deluged with that sort of inquiry, in spite of the FAQ on their Web site to deal with it.
My thinking is this. UNIX is 40 years old, and Linux is 15 years or so. And Google has surely delivered many billions of e-mail messages over several years. By now, surely that software has been VERY thoroughly tested.
On the other hand, it is not at all hard to imagine someone typing in smith@google.com instead of smith1234@google.com SOMEWHERE in the process. There are quite a few possibilities for entering a wrong address: the From address, the Reply-to address, forwarding address, or just a random address from an address book–and probably some none of us has thought about. In the absence of headers or ANY solid information other than the fact that you received some mail, I see no reason to assume anything other than human error.
@George the Foreman
Honestly, I would not feel bad if you assume if this is an user error. I really don’t care if this is going to be solved, as long as this is not happening with my emails.
I have seen the emails that I have received, which were replies to an original email which originated with the person I got the email for. I let this person know, and his response was shocking. He had received all the emails I had in my inbox, so it was clear the emails were being delivered in both inboxes.
I’m not going to paste the header info here, as that will expose email addresses and more.
I will wait patiently for an answer from Google, but I doubt they will ever take on this case with the China nightmare they have on their hands.
Really Great Post. Best wishes. Thanks
[Note from Admin: Comment edited by admin due to keyword spam, next time use your real name instead of lame keywords. I’m sure your real name is not “Email Security Solutions”]
I too have concerns about someone at Google Mail reading my mail and putting in ads associated with their content. For example; recently I received mail from a friend telling me she was seeing a specialist
because she had some sudden medical problem. Straight away there were ads saying GP training, First Pregnancy, some thing or the other and Find a Doctor. On the face of it it seems to be fairly innocuous, but what would you think if you were just notified that someone close had been killed in an accident and next to this; were ads for Funeral Directors, and the like.
I have another issue with Google Mail; I recently inadvertently sent a whole manuscript (of my life story
I am 81) instead of an extract, to an email address which no longer belongs to the people in question and that it had been allocated to someone else. I could not find out who they were, so I sent an email to gmail@google.com asking for help. It bounced back with a whole lot of gobbledegook, which meant nothing to me, I thought perhaps I had done some thing wrong in the first draft, so I amended it and re-sent it and the same thing happened. Fancy not being able to send an email to the email provider. I suspect they don’t want to have anything to do with the public.
@John McCreadie
From: eff.com As of March 1st, Google will implement its new, unified privacy policy, which will affect data Google has collected on you prior to March 1st as well as data it collects on you in the future. Until now, your Google Web History (your Google searches and sites visited) was cordoned off from Google’s other products.
This could mean that the data collected scanning your gmail can be combined with data on which websites you visit or which searches you conducted, all to build a better profile of who you are and what you like. This profile can be used to sell better and more relevant advertisement and/or a social network, Google+, profile for you.
I have a love/hate relationship with Google. I admire the company for their products and the innovation. I’m a little scared with the information Google is collecting and what it will be used for in the future.