Just before Christmas I received the following message in one of my GMail accounts:
Sign-in attempt was blocked
********@gmail.com [redacted by me]
Someone just used your password to try to sign into your account. Google blocked them, but you should check what happened.
I signed into that account and looked at the activity (not by clicking the link in the message, of course) and indeed there was a sign in attempt blocked from the Philippines.
I gather this means that an attacker entered the correct user name and password for my account, but was likely blocked because they couldn’t pass the MFA challenge. Or maybe Google’s fraud detection is actually decent and it knows I’ve never been to the Philippines? Either way, I immediately changed the password and (as far as I know) the attacker didn’t gain control of the account.
However, in the 2 weeks since then, I have received several email verification requests from various online services that I never signed up for — Spotify, OKCupid, a Nissan dealership in Pennsylvania (that one’s interesting), and a few others I’ve never heard of before. Someone out there is actively using my GMail address to enroll for these services.
The account in question is not my main account, and while the password on it was admittedly weak, it was also unique (I never used it on anything else). I changed it to a password that’s much stronger now.
Should I be concerned about this?
Also, if the attacker didn’t gain control of the account, why use it to enroll in all these services?