87

While on holiday in France in May I received an email from Google "New sign-in".

Your Google Account was just used to sign in:

Nairobi, Kenya. Tuesday, 26 May 2015 22:10 (East Africa Time).

I hastily changed my password. I've never been to Kenya.

My question is: How did this happen? I believe I practised good security:

  1. My password was long—four words similar to smoke daily us sitting (I chose this password in 2014, upgrading from something similar to m0zzarella).
  2. I never used this password for anything else.
  3. I used two-factor authentication to receive codes by SMS (no smartphone, so no authenticator app).
  4. I created an app-specific password for my phone's email app (Nokia S40 phone).

Why didn't two-factor authentication stop the hacker? Here's what I did on holiday:

  1. Checked my email
  2. Used a web browser on my phone to log in to a Google website.

I can't remember which web browser I used. I had both Nokia Xpress (default browser) and Opera Mini. (Since then a software upgrade replaced the default browser with a version of Opera Mini). I know both of these work by 'sending the data via their servers'.

Is it possible a password or SMS was intercepted? All this happened while I was on holiday and using a foreign phone network. Has this happened to anyone else?

It's a shame Google didn't prevent the sign-in. Previously on another account Google contacted me "Suspicious sign-in prevented" when someone tried to log in from China.

Anders
  • 64,406
  • 24
  • 178
  • 215
Colonel Panic
  • 2,214
  • 2
  • 22
  • 23
  • 12
    Is it possible you were phished? 2FA is not necessarily immune to phishing. – thexacre Nov 01 '15 at 22:55
  • It is important to check which IP address you have. Several factors have to be considered. Which dynamic IP is assigned. Whether a proxy is used, this can be conscious or unconscious. Therefore, I check my IP fairly regularly on [ip-info.org](https://ip-info.org/?language=en) If I use TOR for example, then I see with [ip-info.org](https://ip-info.org/?language=en), whether or not TOR really works. –  Oct 26 '16 at 03:25

2 Answers2

133

Your password was not stolen. As you pointed out, Opera Mini uses proxy servers. Per the link provided in thexacre's answer, Google incorrectly identifies the servers as being in Nairobi, Kenya:

When you use Opera Mini, you're connected to Opera servers, which download websites you want, compress and transform them, and at the end they are sent to your phone. So the idea is similar to proxy servers. IP address on the screenshot you attached is in fact one of Opera Mini servers, so you shouldn't be worried. I don't know why it's detected as Kenya, you'd better ask Google.

So everything was fine except for Google's IP geolocation.

Community
  • 1
Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • 22
    Tested Opera Mini. IP is `141.0.12.164`. Google reports it Nairobi, Kenya. http://en.utrace.de/ip-address/141.0.12.164 reports it as Opera Mini servers, Norway http://en.utrace.de/whois/141.0.12.164 – Colonel Panic Nov 02 '15 at 01:01
  • 2
    It is very unlikely it would give you the same IP if you're in a different country and it might not give you the same IP if you are. – Neil Smithline Nov 02 '15 at 01:05
  • 1
    Read that thread. I there are proxy servers in several places in the US and Holland mentioned in it. Presumably you get connected to the fastest server based on your location and network. – Neil Smithline Nov 02 '15 at 01:06
  • 33
    There has been some buying and selling of ipv4 addresses as we start to run low. It seems pretty likely that a place like Kenya might have excess and could sell them to somewhere else that wants them for a nice sum of money. – dave Nov 02 '15 at 05:43
  • 3
    The location detection stuff is pretty unreliable. Ferinstance: YouTube thinks that my solidly USA IP is actually in Canada, so I always end up at "YouTube CA"... – Brian Knoblauch Nov 02 '15 at 15:31
  • Why the quotation markup in this answer? – Mindwin Nov 03 '15 at 19:36
  • It's a quote from the link? – Neil Smithline Nov 03 '15 at 19:43
45

Seeing as you're using Opera Mini this is a likely explanation:

Unlike straightforward web browsers, Opera Mini fetches all content through a proxy server and reformats web pages into a format more suitable for small screens.

https://en.wikipedia.org/wiki/Opera_Mini

Of course it's difficult to be certain, and 2FA is still vulnerable to certain attack vectors such as phishing.

It seems others have noticed the same thing.

If you have the IP address used I'd probably Google it and also look it up in a GeoIP database to see if it's assigned to any organisation (eg. Opera).

You might also like to consider creating a new app specific password just to be safe, seeing as app specific passwords are a significant threat if compromised.

thexacre
  • 8,444
  • 3
  • 24
  • 35
  • Yup, Opera Mini was the first thing that came to mind when I was reading the OP's question. Opera Mini would be the SSL endpoint if you were browsing an HTTPS website - I have no idea if data transmitted between the phone and Opera Mini's rendering servers is encrypted. – Nathan Osman Nov 02 '15 at 05:31
  • If anything was sniffed it is likely to be the application specific password that avoids 2FA. I would regenerate that to be sure. – JamesRyan Nov 02 '15 at 13:23