Why “Free” Isn’t Always a Good Thing
It's been over 3 years since we launched Inboxkitten - as a free service to let users quickly and easily automate and test their website flows that require an email inbox (aka signups).
It's also a nice cool service, you can use it to randomly "signup" for things, to download that random PDF and/or coupon code, and not get spam in your email.
And in the past 3 years, we have been overwhelmed by the popularity of the platform. Being the most popular sites we maintain (by user visits)
However, sadly as with anything that gets popular on the internet - people will find ways to abuse it and harm others. This PSA is about that.
How is Inboxkitten being used to hack google accounts?
Over the past 3 months, we have been getting significant reports from victims, whose Gmail account has been hacked, and is now being routed to inboxkitten.com
In general, this occurs to accounts whose email, and passwords have already been compromised. Either through having their devices compromised, and/or having their password leaked. Typically for this to work, the victim does not have an OTP configured for their mobile phone. Or in worse cases, sign up using an Inboxkitten account.
PS: You can check https://haveibeenpwned.com/ to see if your email/password combination has potentially been leaked in one of many known "database breaches".
Also if it's not obvious, given the very public nature of Inboxkitten: anything sent to it, should be considered as "compromised". Do not use this for anything serious, or personal. Use it for testing, and not-so-important junk mail.
The attackers would then start making recovery as difficult as possible. by changing the user existing email to Inboxkitten, and deleting the old email address, along with other changes. Abusing the public email service of Inboxkitten to do such actions anonymously. To make the recovery process as difficult as possible.
To be clear Inboxkitten is not being used directly to compromise the account, but as a means to make it harder to recover the account. To the point where it's nearly impossible for many users.
Because we keep 0 logs on our side of the platform, it is impossible for us to make a proper assessment of the impact (besides user reporting) - however, we decided to stop allowing the usage of our platform in such attacks, and have taken the measures to block "[email protected]", along with adding advisory notices on the site regarding this issue.
Realistically, however, for the most part, this would just force the hacker to use "another disposable email service" and not change the original problem (the account was hacked). And would merely slow them down slightly.
Oh crap. I have already been hacked, how do I fix this?
Unfortunately, for the most part, it's a race against time. My recommendation is to as fast as possible get your account associated with your phone if you notice this happening in real-time. Go to https://myaccount.google.com/device-activity and revoke any other devices, especially those that look suspicious.
Start reaching out to google support, its an incredibly hard and long process, so start early - if you or a family member is using the "paid google one", use that channel to get in touch with their support team (its much faster response).
14 Dec Update: I have confirmation from a Google employee that the recovery process using an "old email" is possible even after it has been changed/deleted. When possible use a device that has been previously logged in to aid the recovery process.
Record down as many details regarding your account, such as the devices you were login, the email and identifier settings, date and time of the hack. The last few physical devices you were logged into (what's their model, etc).
The more information you can gather, the higher your chances of recovery in proving your account ownership.
Ultimately, recovery can only be done by google. If a google employee requires you to prove that the change to Inboxkitten is a hacker. Provide this article as a reference (part of the reason why I made this).
What can I do to protect my google account?
Please set up 2FA with your mobile devices for all your google accounts.
https://www.google.com/landing/2step/
What can google do to help?
Change of email address should be time-gated. One should not be able to set up a recovery/alternative email and delete the original Gmail email in under 5 minutes. Any change in major email/identifier settings should lock further changes for the next 24/48 hours.
Blacklist
inboxkitten.comas a recovery email account option - check against an existing list of "disposable mail" services such as https://www.validator.pizza/Consider adding humans, or at least a dedicated support channel for people affected by such attacks. Currently, most users who are affected, are extremely confused on what should be done in such an attack - that they would resort to randomly contacting a stranger on the internet - for advice and solutions.
Listing these things down, on the off-chance, a Google employee in a position to make such changes reads this (fingers crossed).
