Something is not right in the land of Gmail.
Numerous account holders woke up Sunday morning to discover a raft of spam emails sitting in their sent folders, and that even after changing their passwords the emails kept going out. At least some of these people, including a Mashable editor, had two-factor authentication enabled on their accounts.
"My email account has sent out 3 spam emails in the past hour to a list of about 10 addresses that I don’t recongnize," read an April 21 post to a Google Help Forum. "I changed my password immediately after the first one, but then it happened again 2 more times."
As to the email going out? It's vey much the definition of spam.
"The subject of the emails is weight loss and growth supplements for men advertisements," read the same Google Help Forum post. "I have reported them as spam. Please help, what else can I do to ensure my account isn’t compromised??"
Many people replied to the post saying the same thing was happening to them.
"[My] account is totaly secure with 2 factor authetication and the sent by telus.com messages are still being sent," read one such reply. "[Fix] your shit google."
So what's going on here? A Google spokesperson admitted that the issue relates to a "spam campaign impacting a small subset of Gmail users" in a statement given to Mashable. You can read the full statement right here:
We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it. This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder. We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident. If you happen to notice a suspicious email, we encourage you to report it as spam. More information on how to report spam can be found by visiting our Help Center.
Prior to our receipt of the statement, Google employee Seth Vargo tweeted in reply to one such complaint that the company's "engineering teams are aware of this and are working on a resolution :)"
This Tweet is currently unavailable. It might be loading or has been removed.
One thing the sent spam emails seem to have in common, other than the fact that they're all garbage, is that many appear to be sent "via telus.com." TELUS is a Canadian telecommunications company, and it's not clear what role it plays in this mess.
When reached for comment, a TELUS spokesperson provided the following statement.
We have identified spam emails being circulated that are disguised to appear as if they are coming from http://telus.com . We are aware of the issue and can confirm the messages are not being generated by TELUS, nor are they being sent from our server. We are working with our 3rd party vendors to resolve the issue, and are advising our customers not to respond to any suspicious emails.
Regardless of just what exactly is going on, however, one thing is undeniably clear: This is a mess, and Google needs to fix it. Quickly.
UPDATED April 22, 2018, 2:42 p.m. ET with Google's statement.
UPDATED April 22, 2018, 4:11 p.m. ET with TELUS's statement.
Topics Cybersecurity Google
