Who is behind that Gmail account?

Who is behind that Gmail account?

Researchers have identified numerous methods to recover the names behind GMail accounts and it seems that more are uncovered every day.


Who is the real identity behind that Gmail account? While finding out may not be as easy as knowing who is behind (Homer Simpson, for the curious), it apparently isn't much harder.

Yahoo might have recently attracted attention for the public compromise of one of US Vice Presidential nominee Sarah Palin's accounts, but there are people looking at all providers for weaknesses in account creation (spammers), account recovery (hackers), or other account management functions, such as the identity behind the address.

There are varying levels of success in each area, with many security people who pay attention to the latest developments in CAPTCHA-breaking believing that the major webmail providers have been compromised to a level where it is viable for automated spamming.

In the area of account recovery, anyone who watches the Full Disclosure mailing list will note from time to time claims of malfeasance from various unheard-of groups who claim to have the full webmail mail file of one or more security identities. The Sarah Palin case has publicly demonstrated for everyone else the many problems that can be associated with not selecting secure enough security questions (and the problem of determining what is secure in the first place).

There isn't as much focus on finding the identity behind a random webmail account, but Google apparently seems to have several (unintentional) methods to recover the registered first and last names associated with an account. In a demonstration of why it is always polite to acknowledge security issues, Google was previously notified of a similar issue, by the same researcher, but they silently fixed it . Not happy with the approach taken last time, the researcher publicly disclosed enough of their rediscovered issue for many who had discovered equivalent problems to come forward with their own examples.

Information that can be recovered is only as good as the information that was originally supplied, but who really signs up to a webmail provider with a fake name? If you were already taking steps to blur your online identity, then it probably isn't going to work against you. Rather, it is the majority of users, who take no real effort to hide their identity when using online services, who can have their details rapidly recovered.

With spammers who have managed to automatically create a number of spam accounts, this allows them to send highly personalised spam to their targets and improve the chances of having it slip past the Gmail filters. Spear phishers might already know who owns an account, but this might help gain leverage on co-workers or add extra legitimacy by identifying others who the target would already know about but who the phisher wouldn't directly know.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Gmail

Show Comments