A year ago my gmail account was hacked. I recovered it in an hour or so, not before a friend of mine had an amusing conversation. Recently, judging by James Fallows’s experiences, there has been a rise in these attacks. My mistake, I believe, was using the same password on my gmail account and another account. I suspect the recent outbreak of gmail break-ins is happening because there was recently a large exposure of passwords elsewhere.
But I can’t be sure because I cannot compare break-ins over time. What does a graph of break-ins-versus-time look like? Is what Fallows has noticed a recent spike? (It probably is.) If so, that supports my explanation of its cause (passwords lost elsewhere). Or has there been a steady increase over time? That would contradict my explanation. It is revealing that Fallows provides two security suggestions, one of them really time-consuming (two-stage verification) in the long haul. He says nothing about making sure your gmail password is not used anywhere else. If he could have seen that break-ins-versus-time graph, he could better judge whether the gmail hacks are due to duplicated passwords. If I am right about the cause of these hacks, Suggestion #3 should have been don’t use your gmail password anywhere else — and would have been the most effective.
Gmail developers can help all of us be safe at reasonable cost by publishing graphs that show break-ins (and probability of break-in) per day. I think that is estimated by the number of account recovery requests they receive per day. After my gmail account was hacked, I contacted Google to recover it and soon did. Perhaps those account recovery requests could involve the person making the request giving a reason (e.g., “account hijacked”). Then Google could simply tell us (with a graph?) the number of hijacked accounts reported per day.
Security departments and others don’t like to provide this sort of information. Persons at the top of companies worry it will scare customers! Those in security departments worry people will be less scared — thus reducing their power. From a user point of view these are horrible reasons not to make this information public. With accurate knowledge of the likelihood of break-ins, gmail users can make reasonable estimates of the costs and benefits of various security options. Without knowing the likelihood of break-ins, they can’t.