google 2 factor

In a week marred by several big password leaks from big names such as LinkedIn and Myspace (old, but still big for its day) at least one savvy Google account holder caught on to a rather clever attempts at defeating Google’s 2 factor authentication.

If users have enabled 2-factor authentication, after passing the username and password security challenge, users are brought to another security screen asking for a two-factor code. Two-factor codes can be generated via specialised apps or sent to you via texts, as well as some other methods. If the user has selected a text messages as a way of getting the required code, then they could be vulnerable to this attack.

As seen in the above tweet, hackers are preemptively sending users a text message telling them of a hack attempt that has been made against their Google account. Users are then prompted to send back (to the hackers) the GENUINE authentication code when they receive from a different number, under the guise of “locking your account”. Please let us make this clear; the ONLY place you should disclose your two-factor code is into a Google login page; you should never be sending it via SMS to anyone, not even someone pretending to be Google.

Any users who do fall for this trick and send their 6 digit two-factor code to the hackers will find their Google Account could well be compromised.

If you have received such a SMS, you should probably log into your Google account and go change your passwords; to get to this stage, the hackers will likely already have your existing username and password, but can’t do too much damage without this two-factor code. We are in the middle of writing a larger post, outlining the basics of web password encryption, passwords, and good practices so keep an eye out for that in the next few days.

In the meantime, tell everyone you know this is fake, because people are falling this. This is one of those pay it forward situations, they sky isn’t falling in but warn your friends and family. While we aren’t aware of any attempts being made on Australian accounts, the digital world is not restricted by geography. Please be careful.

    Inline Feedbacks
    View all comments
    Robert Barkoski

    Excellent article, thank you.

    Chad Russell

    How are they getting the cell number to send the fake alert to in the first place?


    Some people share their contact details on their profile pages or they’re listed in the white pages.


    Or from other database hack/ leaks. Each leak creates a bigger and bigger pool of data.


    Very clever attempt.

    Reuben Fergusson

    Im surprised people still fall for these feeble attempts at stealing passwords or codes.