If your Google account login information is ever compromised, you first need to secure your account. Go tohttps://www.google.com/settings/passwordchange and follow the steps to change your password.
Next, you need to look for potential leaks.
1. Check Gmail accounts, filters, and forwarding
If your password leaked, a thief could have logged in and configured your account to send a copy of every email to another account. You might never notice, because you would still see all your email, too.
To guard against this, check your accounts, filters, and forwarding settings. Open Gmail in your browser and access Settings (from the sprocket menu in the upper right). Then, review the following tabs and settings:
- Accounts: Remove any unwanted accounts and secure any accounts listed
- Filters: Remove suspicious filters that forward email elsewhere
- Forwarding & POP/IMAP: Delete forwarding email to unfamiliar accounts
2. Review app access
An app or Chrome extension with access to Gmail data can leak data, too. I counsel caution before you give any app or extension access to Gmail. That Chrome extension that claims to “help” you manage client information in Gmail may work, but it might also be a clever attempt to gain access to your account.
I suggest you only allow apps that pass three “trust tests” to access your Gmail account. First, make sure the apps can be installed from the Google Apps Marketplace. That means the maker has taken the trouble to comply with Google’s Apps Marketplace policies and review at minimum. Next, look for a third-party review of the organization’s policies and practices (e.g., SOC 2 compliance). Third, carefully examine the company and people behind the app: Is it a team you trust?
To review apps with Gmail access, go to https://security.google.com/settings/security/permissions. (You’ll need to login to your account.) The list shows every app with access to your Google account. Look for apps with either “Has full access to your Google account” or “Has access to Gmail.” To disable access, select the app then choose “Remove.”
3. Reset recovery methods
None of the above really matters, though, if the attacker has added their phone number or email address as a recovery option to your account. That would give the attacker another route to regain control of your account.
To change your recovery settings, go to https://myaccount.google.com, look for “Personal Info & Privacy,” then check the settings for both your email address and phone number. (If you don’t have a phone with active SMS service, at least review the phone information to make sure a thief’s number isn’t listed.) Make sure that the recovery email address you provide is secured and under your control.
4. Enable 2-step authentication.
If your account permits it—and you carry a phone—enable 2-step authentication for your Google account at https://www.google.com/landing/2step/. This will require you to obtain a code from your phone to allow access to your accounts when you login to your account. (Not all administrators allow Google Apps account users to enable 2-step authentication, but many do. Security-minded administrators require it.) You can authenticate with an app or a code you receive over SMS.
5. Consider a check-up
Even if you haven’t noticed a password leak, you should periodically review your Google account security settings. Google’s Security Checkup (at https://security.google.com/settings/intro/security/secureaccount) walks you through a review of several important settings, step-by-step.
The best way to protect your Gmail account remains relatively simple: Always enable 2-step authentication and never allow a non-Google app (or extension) access to Gmail.