The big headline regarding the Google Gmail phishing hacks is that they emanated from China and targeted, among others, senior U.S. government officials, military personnel and Chinese human rights activists.
Inarguably not good, especially if the phishers were working on behalf of the Chinese government, though Beijing officials have strongly denied any role.
What should be especially disturbing to anyone concerned with online security, however, is that this "spear phishing" operation went on for more than a year. Which means some victims unknowingly could have had their emails forwarded and monitored the entire time.
You'd think that at some point, say, more than a year ago, Google would have been notified about the coordinated phishing attacks by some suspecting victim and publicized it. Yet we're just learning about it this week.
I take that back. We're learning about it just this week from Google. Security researcher Mila Parkour wrote about the hacking campaign in her Contagio blog on Feb. 17.
Parkour described the Gmail breach as "persistent and bold," and one can assume she made sure Google knew about the security breach back when she discovered it nearly four months ago.
Yet in an incredibly self-serving blog post announcing the breach on Wednesday, Google's security team essentially takes full credit for exposing the Gmail hacks in what it pretends is a timely fashion:
Through the strength of our cloud-based security and abuse detection systems*, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. ...Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities.
You saved us again, Google! How can we ever repay you?
By the way, that barely noticeable asterisk in the first quoted sentence of Google's blog post is as far as the search giant goes toward crediting Parkour for uncovering the Gmail breach. It leads to a sentence at the bottom of the post that reads: "We also relied on user reports and this external report to uncover the campaign described."
Way to spread the love, Google.
Spear phishing, of course, is all about tricking the account holder into revealing log-in information, so Google is correct in asserting that "our internal systems have not been affected—these account hijackings were not the result of a security problem with Gmail itself."
But letting months go by before publicizing the attack is unfair to millions of Gmail users. And then to have a spokesman say, "We think users should be aware of the disturbing campaign we've uncovered to collect user passwords and monitor user email," is just hypocritical nonsense.
Google owes Gmail users more than belated admissions and explanations. It owes them an apology.
Which may be in the Gmail. But don't count on it.