We prevented a sign-in attempt

Last weekend, almost exactly between April Fools’ Day and Halloween, Google played a prank and scared us!

If you have used Gmail on different devices, you probably know the kind of message you get when you log in from a different device. Additionally, you might be presented with a security question if Google doesn’t trust it. This is actually a really cool feature because it ‘sort of’ acts like 2FA¹: if you log in with your credentials (to know) but with a device (to have) that Google doesn’t recognize then you cannot just proceed².

I had actually never tried myself what happens if you fail the security question, but last weekend, someone or something did that for us. For personal usage we have some Gmail accounts that we mainly use in combination with other online services and that we have linked under one account: so, one Gmail account retrieving another. On the main account we suddenly received an alert from Google: “We prevented a sign-in attempt“. Someone had made a login attempt, using the correct password, but failing the additional security question. This was scary! Because we were 100% sure we had not tried to log in ourselves.

While we quickly generated a new random password to replace the old one, our minds were trying to figure out “How is this possible?”
We like to practice what we preach, so we never reuse passwords – which means the password for the Gmail account could not have leaked through another website. Could that mean that one of our computers got compromised? We use a very secure password manager and although that doesn’t mean it’s 100% secure end to end, it didn’t seem very likely because we almost never have to enter the password. And it also didn’t seem very likely that Google had somehow leaked the password.

So, first things first: we reviewed the warning again. It said the request was done by an ‘unknown device’ (see header pic) – which sounded like it could have been machine to machine. We went through the list of online services we use but quickly concluded that we don’t have any services connecting to our Gmail account.

The next step was to see what we could find out about this IP from the United States and this is what we found out:

Source: ip2location.net

Source: ipinfo.io

Source: db-ip

And there we found the answer: Google had been trying to log in!
Our best guess is that this was probably the ‘parent’ Gmail account checking for mail to retrieve and in doing so, something had obviously gone wrong. (other scenarios are possible, but much less likely)
Kinda funny when you think about it – but it did give us a scare!

¹ 2FA stands for Two Factor Authentication. A traditional login only requires you to enter a password – something you know. 2FA introduces a second step – usually something you have. An example of this is sending an sms with a code to a mobile phone number you own

² Even in this case, proceeding requires again a ‘to know’ factor, so that’s why it’s not truly 2FA