Main Nav

I remember receiving an email from Google stating that 2 of my student accounts were compromised. I couldn’t find the email. It was at least a couple of months ago. They took the action of Suspending the 2 offending accounts. By the time I looked at the accounts probable a day or so later, they were active again. The email contained a link to one of their Help articles giving a list of suggestions on dealing with the accounts, like change the password, remove forwarding etc.

Sorry I can’t be more specific. If I run across the email I’ll send along excerpt from it.


Richie Bianco

Mercer County Community College

1200 Old Trenton Road

West Windsor, NJ, 08550




We just created a case with Google about the same issue.  This is the reply we got back from support:

Thank you for your message. I understand you have accounts that you believe have been compromised, two of which have hit their sending limits as a result, and would like to know what information and options are available to you. I would be happy to provide you with the information I have in relation to this.

You can check the IP addresses of the last ten log ins made to the three user accounts by following the steps outlined below.

1. Sign in to their Gmail inbox.

2. At the bottom of the inbox, on the right hand side, it will say 'Last account activity:'.

3. Beneath this will be 'Details'. Click on this and you will see the IP addresses used for the last ten log ins to the Gmail account. This will help you verify that the account had indeed been accessed and will provide you with the IP address that was used.

Also, please change the passwords to the affected accounts to passwords with a 'Strong' rating. This will lock out any unauthorised parties who are in the account and help secure it.

Another recommendation to further secure all your user accounts is 2 step verification. This adds another layer of protection to your user accounts, as two passwords will be needed to access the account, one of which will be sent to your user's mobile device.

You can find information on 2 step verification at

You can also find a security checklist, which will list steps for you to follow to ensure your account's security at

When it comes to seeing who has accessed an account, there is no information we have access to on our end. The primary service we offer is information on how to protect your account from being accessed without authorisation again in the future.

I'm curious what other schools do when one of your domain's gmail accounts are hacked and used to send spam. It happened to us periodically prior to switching to Google, and we always discovered it by getting rate control messages from our Barracuda. Our response was to disable the account in Active Directory and Exchange, then to clear the offending messages from the outgoing queue in the Barracuda. 

Now that we're on Google, we just encountered our first one, and we only noticed it because the spam messages were being sent to other addresses. The account that was hacked is a departmental account, shared by a number of people.  Our response in this case was to force quit the user(s) from any open sessions (reset sign-in cookies from within the Google Apps console) and change the password within Active Directory (we use GADS to sync passwords).

Is this really the right approach? Are there other ways we should expect to be notified about this kind of thing? Does Google do anything themselves to respond to hacked account? We kind of assumed they would, or at the very least that the messages would be caught by Google's spam filter (we don't whitelist our own domain, specifically because we wanted to make sure that spam like this wouldn't be automatically let through).

Any comments on your own experience would be helpful. Thanks!



Matthew S. Burfeind
Deputy Chief Information Officer
Massachusetts College of Art and Design
621 Huntington Avenue
Boston, MA 02115
617.879.7872 (p)
617.879.7979 (f)

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at