Why “Free” Isn’t Always a Good Thing

Its been over 3 years since we launched inboxkitten - as a free service to let users quickly and easily automate and test their website flows that require an email inbox (aka signups).

Its also a nice cool service, you can use to randomly "signup" for things, to download that random PDF and/or coupon code, and not get spam in your email.

And in the past 3 years, we been overwhelmed by the popularity of the platform. Being the most popular sites we maintain (by user visits)

However, sadly as with anything that gets popular on the internet - people will find ways to abuse it and harm others. This PSA is about that.


How is inboxkitten being used to hack google accounts ?

Over the past 3 months, we been getting significant reports from victims, whose gmail account has been hacked, and is now being routed to inboxkitten.com

In general this occurs to accounts whose email, and passwords has already been compromised. Either through having their devices compromised, and/or having their password leaked. Typically for this to work, the victim does not have an OTP configured for their mobile phone. Or in worse cases, signing up using an inboxkitten account.

PS: You can check https://haveibeenpwned.com/ to see if your email/password combination has potentially been leaked in one of many known "database breaches".

Also if its not obvious, given the very public nature of inboxkitten
anything sent to it, should be considered as "compromised". Do not use this for anything serious, or personal. Use it for testing, and not-so-important junk mail.

The attackers would then start making recovery as difficult as possible. by changing the user existing email to inboxkitten, and delete the old email address, along with other changes. Abusing the public email service of inboxkitten to do such actions annoymously. To make the recovery process as difficult as possible.

To be clear, inboxkitten is not being used directly to compromise the account, but as a means to make it harder to recover the account. To the point where its nearly impossible for many users.

How account recovery options are quickly being removed

Because we keep 0 logs on our side of the platform, it is impossible for us to make a proper assessment of the impact (besides user reporting) - however we decided to stop allowing the usage of our platform in such attacks, and have taken the measures to block "[email protected]", along with adding advisory notices on the site regarding this issue.

Realistically however, for most part this would just force the hacker to use "another disposible email service" and not change the original problem (the account was hacked). And would mearly slow them down slightly.


Oh crap. I already been hacked, how do I fix this?

Unfortunately for most part, its a race against time. My recommendation is to as fast as possible get your account associated to your phone if you notice this happening in real time. Go to https://myaccount.google.com/device-activity and revoke any other devices, especially those that looks suspecious.

Start reaching out to google support, its an incredibly hard and long process, so start early - if you or a family member is using the "paid google one", use that channel to get in touch with their support team (its much faster response)

Record down as much details regarding your account, such as the devices you were login, the email and identifier settings, date and time of the hack. The last few physical devices you were logged into (whats their model, etc).

The more information you can gather, the higher your chances of recovery in proving your account ownership.

Ultimately, recovery can only be done by google. If a google employee require you to prove that the change to inboxkitten is a hacker. Provide this article as reference (part of the reason why i made this)

What can I do to protect my google account?

Please setup 2FA with your mobile devices for all your google accounts.

https://www.google.com/landing/2step/


What can google do to help?

  1. Change of email address should be time-gated. One should not be able to setup a recovery/alternative email, and delete the original gmail email in
    under 5 minutes. Any change in major email / identifier settings should lock further changes for the next 24/48 hours.

  2. Blacklist inboxkitten.com as a recovery email account option - check against existing list of "disposible mail" services such as : https://www.validator.pizza/

  3. Consider adding humans, or atleast a dedicated support channel for people affected by such attacks. Currently most users who are affected, are extreamly confused on what should be done in such an attack - that they would resort to randomly contacting a stranger on the internet - for advice and solutions.

Listing these things down, on the off-chance a google employee in position to make such changes reads this (fingers crossed)