Hackers broke into an experienced tech journalist's accounts and deleted tons of irreplaceable data. Here's how to keep them out of your Gmail (and all the rest of your accounts).
Last week, well-known tech-writer and Wired Senior Editor Mat Honan's life was turned upside-down when hackers broke into his online accounts including Amazon, Gmail, and iCloud. They also used iCloud's Remote Wipe feature to delete data from his computer, iPad, and iPhone.
After being locked out of his accounts, losing everything in Gmail—and all of the photographs of his infant daughter—Honan eventually tracked down the hackers, and has begun the slow process of putting his digital life back together. But much of his data is probably lost for good.
Honan's tale is a sad one, and it could happen to you.
In fact, Wired was able to replicate the exact hacks that gave the bad guys access to Honan's accounts. Since then, Amazon has changed their security procedures, and Apple has stated that their securtiy policies were not followed in this instance, but that doesn't mean you're out of the woods. Security policies can change, but so can the methods hackers use to steal your stuff.
Since nearly everything you do online links back to your email address, locking down that account is particularly important. After all, with access to your email account, your financial records, bank accounts, and data on an iCloud-connected device are all fair game, as most of those accounts can have their passwords reset via an email message.
Thankfully, Gmail offers a powerful tool to keep the data stored in your account secure. Called "two-step authentication," it's a feature of your Gmail account that adds an additional layer of security, and can prevent the type of massive data breach that Mat Honan suffered.
It requires a bit of work up front to enable two-step verification, but the added security is worth the effort, especially since access to your email opens up all sorts of other options for hackers.
By default, Gmail asks for your username and password anytime you login. With two-factor authentication, you'll need your username, password, and a verification code that gets sent to your mobile phone in order to login to your account. Essentially, it means that anyone who is able to guess (or otherwise acquire) your username and password won't be able to login without also having access to your mobile phone.
If you're frequently out of cell range, the Google Authenticator app for iOS, Android, or BlackBerry can generate access codes for you without the need to receive a text message.
To set up two-factor authentication, sign into your Google Account and head to Settings. If you're already signed to Gmail, click your name in the upper right corner, and then Account.
From the Security tab, choose Edit next to 2-step verification. After you click Start Setup, Google will request a mobile phone number. This will be where your verification codes will be sent via SMS. Enter your mobile number, type the verification code you receive into Google, and click the Verify button.
The next screen offers details about the Trusted Computer setting. Checking the box sets a browser cookie on your current device so that you'll only need to authenticate with a verification code once a month. If you share a computer or iPad, or are using a publicly accessible machine, uncheck the box. This will force Gmail to ask for a verification code every time you login.
Once you click Confirm to turn on two-factor authentication, you're all set. Logging into your Gmail account will now require a username, password, and a verification code from your mobile device.
Generate special passwords
If you use email clients like Outlook or Mail to access your Gmail account on a computer or iPad, you'll need to adjust your settings. Since mail clients don't know to ask for a verification code, you'll need to create an application-specific password that will allow the app to bypass the second step.
To do so, head to Security > 2-step verification > Edit. Scroll down and click Manage application-specific passwords. In the Name field, give your password a name you'll recognize, like "Mail-Mac" to identify what the password is for. Click Generate Password, and Google will display your custom password for that application.
Copy and paste your password into the configuration screen of the app you want to use with Gmail. But do it now, because Google will only display these passwords once for security purposes.
As an added benefit, you can revoke individual passwords at any time. So if your iPad gets lost, you can cut off its access to your email remotely simply by logging in and clicking Revoke next to the password for that device.
In case of emergency
As a fall-back, you can also generate verification codes in advance, which you can print out or store in text form for emergency situations where you need to access your Gmail, but your registered phone isn't available.
Gmail's two-factor authentication won't make your account impenetrable—someone with your phone or computer may still be able to get in—but it will keep far-away hackers out of your email, and whatever accounts you have connected to it.