0

I found in my Google admin logs that someone from outside my organization is trying to log in frequently by testing all our user accounts against weak passwords. I'm wondering how could that happen?

How did he manage to get the correct list of all our users' accounts? How can he attack Google servers and verify our accounts only. Is it our domain problem? It doesn't make sense to me the attacker didn't even log in to any of the user's computers or took any passwords. Can anyone explain what is going on?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Dreamer64
  • 109
  • 2
  • Try this test: attempt to log into an account that does not exist. Did the non-existent account show up in the logs? If not, then you are jumping to the wrong conclusions about "knowing the right account names". – schroeder Jun 03 '22 at 10:17
  • @schroeder I did, its not showing as u have said, but still I didn't under stand how my admin log shows real accounts trying to log in and out, add on that last night he found an administrator temp account then spend too much time and got the password and started to change other users passwords! – Dreamer64 Jun 04 '22 at 06:37
  • 5 sec between each login, 2min for admin accounts its like a script just crawling to our all accounts trying to find admins n gain privileges – Dreamer64 Jun 04 '22 at 06:39
  • So your entire question is based on a false premise. They do not know the names of the correct accounts. They are trying random accounts and sometimes getting it right. This defeats most of your question. How can they try multiple accounts? As you say, they have a script. Anything exposed to the internet is subject to people trying to log in. – schroeder Jun 04 '22 at 14:29
  • I’m voting to close this question because it is based on a false premise. This is just a plain ol' brute force attack on internet-facing services. – schroeder Jun 04 '22 at 14:30
  • May be u need to read the question again.. I can see in my admin log the attacker is reading my accounts 1 by one in proper sequence, group by group, and start from the beginning to the end in perfect order.. this is what I need to know and I believe its the same as my question if I'm not wrong – Dreamer64 Jun 05 '22 at 17:07
  • But you are not able to tell if there were accounts tested that do not exist. So if they were trying every possible human name in alphabetical order, then it would appear to be every "live" account in order ... – schroeder Jun 05 '22 at 17:09
  • As for "how could they do that???", if they have a valid list, how on earth are we supposed to know how how they got the list? – schroeder Jun 05 '22 at 17:10
  • How can he get the proper list n groups! And its listed in my admin log all of them, I don't care about the try for logging in, I'm asking how did he knows or get that lists all of them, because I don't believe that he took it from anywhere within our organization at all! – Dreamer64 Jun 05 '22 at 17:13
  • @schroeder this is why I'm asking – Dreamer64 Jun 05 '22 at 17:13
  • Then you are either not explaining all the details, or the answer is **shrug** - how could we know how they got the entire list? – schroeder Jun 05 '22 at 17:14

1 Answers1

1

Most likely the hacker does not know which accounts are valid. They are either using a dictionary, purchased an email list or if they are professionals, created their own list.

Based upon the details in your question, we can only guess.

Tip: It is very easy to build a list of accounts and is not as hard as you think. One solution is to implement MFA on all accounts. If you have had a data breach, you will need professional help.

John Hanley
  • 320
  • 1
  • 6
  • MFA already enabled, but he still trying and still I'm seeing a attempts in my log, for a breach no, only attempts to login most of them failing – Dreamer64 Jun 04 '22 at 05:28
  • For the professional help part, we have contacted local authorities and Google it self with out any use, its like we r on our own now :) (because its only attempts but no real breach) I don't want to wait till real breach to start going an lose my data !!! – Dreamer64 Jun 04 '22 at 06:15