Post Mortem: Today's Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself

On June 1, 2012, a hacker accessed a customer's account on CloudFlare and changed their DNS records. The attack was possible due to a compromise in Google's account security procedures that allowed the hacker to access Matthew Prince's CloudFlare email addresses running on Google Apps. The hacker initially gained access to Prince's personal Gmail account by adding a fraudulent recovery email address and then resetting the password. Once inside, the attacker accessed the Google Apps administrative panel for CloudFlare and targeted a specific customer, changing their DNS settings temporarily. The incident began in mid-May when an account request was sent to Gmail for Prince's personal email address. The hacker somehow convinced Google's account recovery systems to add a fraudulent recovery email address to his personal Gmail account. The password used on the personal Gmail account was 20+ characters long, highly random, and not used by Prince on any other services, making it unlikely that it was dictionary attacked or guessed. Once the recovery email address was added, the hacker could then reinitiate the password recovery process and get reset instructions sent to the fraudulent email address. Those instructions were then used to reset Prince's personal email this morning. The hacker was able to use Google's password recovery and have the password reset sent to Prince's CloudFlare.com address, which also uses two-factor authentication. After accessing Prince's CloudFlare.com email account, the hacker accessed the Google Apps administrative panel for CloudFlare and targeted a specific customer, initiating a password reset request for their CloudFlare.com account. The hacker was able to access this account in Google Apps and verify the password reset. At that point, the attacker was able to log into the customer's CloudFlare account and change DNS settings to temporarily redirect the site. Working with Google, Prince regained control of the Google Apps accounts (both his personal Gmail account and his CloudFlare.com account). They reverted the changes made to the customer's account and manually reviewed all other password reset requests and DNS changes. No other CloudFlare.com accounts were accessed or altered. To prevent further attacks, Prince removed his personal email address from any association with CloudFlare and added two-factor authentication to his personal Gmail account. He also recommends that users of Gmail or Google Apps take the following steps: add two-factor authentication to their account, ensure their password is strong and not used on other services, and change any password recovery email to an account that cannot be easily guessed by a determined hacker. Google has since fixed the vulnerability that allowed the hacker to access Prince's personal Gmail account, which involved a breach of AT&T's systems that compromised the out-of-band verification. The FBI arrested most, if not all, individuals involved with the attack on June 26, 2012.