The security of my Gmail account was today compromised and a large amount of spam has been sent to people listed in my Gmail address book and to mailing lists that I am on. I apologise to people who have received this unwanted e-mail. I have taken steps to secure my account, but this comes as something of a blow to me since e-mail is supposed to be a trusted system.
If you need to ensure security of a message that I have sent, feel free to forward it to me and I will send back a digitally signed confirmation almost immediately using my GPG key.
If anyone reading this knows anybody on the Gmail team, I'd love it if you guys would make it easier for me to touch base. The website just says "oh, change your password and security question" - which is fine, but it would be more helpful if I could make a formal report that my account has been compromised so that the Gmail people could do something to prevent it happening in the future.
As to how it happened, I am not sure. I use a pretty strong password which is in my head. I will be changing passwords for other major services more often. I suggest that you take this opportunity to do similarly. I've long believed that being seriously paranoid about security is important, and having my e-mail account compromised has only made me more zealously security minded. Double your security efforts online, folks, and stay safe.
Please can you guys be my eyes and ears - if you notice anything odd going on with any of my accounts on other services, please IM me, e-mail me or get in contact somehow so I can try and fix the problem. Unfortunately, my e-mail account is a keystone for my whole online life, and it being compromised means that nothing that purportedly comes from me online can be guaranteed anymore.
If you are in charge of running websites, you should seriously consider moving away from password-through-mail security. If you haven't, setup OpenID and let people login with that instead. And please start using encryption, everybody. Security should be our concern - nobody else is going to protect us - not Google, not Facebook, not our damn clueless government. Get yourself a GPG key, meet me in real life and I'll sign the damn thing. Then we can have properly secure communication at 4,096 bit and Mr Cracker won't be able to read a single bit of the damn thing. Security paranoid? You bet your arse I'm security paranoid now.
