Sunday, July 6, 2014

The Pitfalls & Virtues of Google Apps

If you've ever hosted a domain name with Google Apps, keep in mind that a hacker has a good chance of accessing your e-mail long after your domain's expired since Google stores your e-mail indefinitely if it's a free Google Apps account. This worked to my benefit, tonight, but it badly stung Twitter about five years ago: The Anatomy Of The Twitter Attack

My Story

2.5 year e-mail gap
Two and a half years ago I let a domain name expire that was hosted on Google Apps. It was a domain I no longer needed. But, I forgotten that this domain was tied to a four letter Twitter account that I occasionally used which receives a lot of inquiries – mostly from people asking me to transfer this account to them.

When my Keychain became corrupted, several months ago, Twitter would not let me log in to this Twitter account without confirming my e-mail address. Obviously, I couldn't receive e-mail since I no longer owned the domain name. The problem was, over the years, I've owned a lot of domain names and I had no idea which e-mail address was tied to this Twitter account. When I tried to reset this Twitter account on the twitter.com website I was told that an e-mail had been sent to my e-mail address on file. That was of no help since I didn't know which defunct e-mail address the confirmation was sent to.

Tonight, on a whim, I tried to reset my password for this Twitter account with the iOS app instead of their website. Lo and behold, the app reported that a confirmation e-mail was sent to a slightly redacted e-mail address (it looked something like this: jo***@ex***.** – let's pretend that my expired domain name was example.com). It was just enough of a hint to point me in the right direction. I visited https://www.google.com/a/example.com and logged in. When I checked my Gmail account I could see that the last e-mail received was in 2012 – which was when I let this domain name lapse. A quick visit to GoDaddy and $9.17 later I re-owned the domain name I once had a couple of years ago. With the new domain name in hand I updated the MX records with the info for Google's mail servers and I received my confirmation e-mail immediately. The entire process took about 30 minutes.

Yes, it's very handy that Google keeps my e-mail forever, but it can be very dangerous too.

No comments: