When your Google Apps account password leaks, the battle begins to minimize data loss and regain control of the account.
Unfortunately, you can’t undo a password leak–once it’s out, it’s out. You must assume your account data can be exposed. Work through the following steps with your Google Apps account administrator to recover from an account login leak.
1. Alert an Admin
As soon as you identify a potential password leak, let your Google Apps administrator know. But, don’t email your admin from your hacked account. If your account info has been breached, any information you send may also be available to people with your password.
SEE: Password Management Policy (Tech Pro Research)
Instead, talk, text, or call to let the admin know. If you call, go to a private location. Don’t place the call as you sit in a coffee shop or hotel lobby.
When you make the call, be ready to provide as much information as possible. Let the administrator know:
- The date and time that the password loss occurred (if you know).
- The devices (e.g. laptop, phone, tablet make and model) and locations (e.g. work, home, client site, etc.) where you recently accessed Google Apps.
2. Review account access.
Work with your Google Apps administrator to review logins. Go to https://myaccount.google.com/, then select “Device activity & notification.” Look for the “Recently used devices” section and choose “Review devices.” Remove or erase data (with the Android Device Manager) from unknown devices.
If you’re the Google Apps administrator, login to the Admin Console at http://admin.google.com, choose Users, choose the account name, then “Account.” You’ll see any mobile device associated with the account here, and may choose to wipe either the account, which erases Google Apps data from the device, or the device, which erases the device itself.
3. Reset sign-in cookies
Next, your Google Apps administrator may “Reset sign-in cookies.” This revokes all existing logins at all locations. Anywhere you’ve logged in to your Google Apps account with an HTTP session, you’ll need to re-authenticate.
4. Reset password
Next, you may reset your password from the https://myaccount.google.com/ page in the “Sign in & Security” section. (While there, you might look for account recovery options, which may display an email address and phone number. If either displays information you don’t recognize, remove it. An administrator may disable this option entirely.)
Or, if you’ve lost control of the account, your Google Apps administrator may reset the password for you. When an administrator resets a password, they’ll have three options: Choose a password, generate a password, or allow the user to choose a password.
SEE: How to set up Google Apps in 5 simple steps (TechRepublic)
In the event of a password leak, I suggest you use an “assign first; then require reset” process. It works like this: The administrator first chooses a new password–and lets the account owner know–either in-person or with a phone conversation placed to a known (and confirmed secure) number. The administrator asks the account owner to login with the new password, and confirms that the account owner logs in successfully.
Next, the administrator selects the “Require user to change password at next login” option, and asks the account owner to log out. The account owner logs out, then logs back in with the assigned password, and then will be forced to select a new password.
This process allows the administrator to confirm that the account owner has access to the account. The subsequent required change of password ensures that only the account owner knows the new password.
5. Strengthen security
Finally, strengthen your Google Apps security settings. An administrator should increase the minimum password length (from 7 to at least 12 characters) and enable 2-step verification. Then, each user may secure their Google Account with two-step authentication.
What do you think?
What other actions do you take when a password leak occurs? Tell us in the comments.