Home»Case Studies»How to Protect Your Google Workspace Admin Account Against Hijacking

How to Protect Your Google Workspace Admin Account Against Hijacking

As a G Suite domain administrator, have you considered how frequently your G Suite account may be targeted for password-cracking attempts? Are you even aware if an unauthorized attempt to access your account has taken place?

The Google admin console is a very useful feature of G Suite that can be put to good use by  G Suite administrators in businesses, schools, and other organizations. While the admin console allows for managing various administrative tasks, its power can also pose a significant risk it falls into the wrong hands. As a G Suite domain administrator, it is important to follow G Suite security best practices to protect your account from unauthorized access and password-cracking attempts.

Have you ever thought what happens with users and data if a cyber-criminal can somehow access your G Suite admin account?

The Problem: Unauthorized Access to Google Workspace Admin Account

One of our clients almost fell victim to cybercriminals when they tried to gain unauthorized access to their Google Workspace admin account. The attack was unsophisticated but still posed a serious threat.

If successful, this attack could have caused untold damage to the company including data loss or data breaches that may have involved confidential client or personal employee data.

In this case, hackers managed to identify the Google Workspace Admin account of the domain. They organized 19 attempts to crack the Google account password. Password cracking is a method of recovering passwords that are stored in an encrypted format. While there is no way to decrypt the password, software or humans can attempt to guess the password and compare the encrypted version of the guesses against the stored value.

Software password crackers usually work via a “brute force” method that will systematically check every possible password combination until a match is found. This can take some time but given long enough, the password will eventually be found. Short passwords and those made up of common word and number combinations can be found very quickly using this method.

If a human is attempting to guess the password, they may first research the user by finding out information via personal websites and social media accounts. This method can also be very successful, as many people use passwords based on easy-to-obtain data such as their birth date or spouse’s name.

Once the password is cracked, a hacker needs simply to log in with the admin username and password, and the entire Google admin console will be at his / her disposal.

Luckily, in this case, the potential victim was already using the Spinbackup cybersecurity service. This service detects suspicious activity such as an abnormal number of incorrect logins, and an alert is sent to the user, warning that an attack may be underway.

You can see in the image that a high number of attempted logins to G Suite were made. A failed login in itself is not suspicious, as this can easily occur when the user mistypes or forgets his / her password. This is why the action is assigned a “low” risk level. Each action can be selected to view a pop-up with more detailed information, as in the screenshot below:  

Spinbackup how to protect g suite super admin account

However, it is the number of failed logins within a short space of time that triggers the suspicious activity warning. These warnings may be sent to any email address, and / or to Slack, depending on the settings chosen in Spinbackup.

Check out Spin’s Slack Data Backup and Recovery tool.

The Solution: Immediate Detection and Protection Response

The first part of defense against this kind of hacking attack is to detect the attempt in the first place. We have already seen how Spinbackup can detect suspicious login activity that may be indicative of an impending attack. To secure your G Suite account from future attacks, it’s important to consider other potential methods of hacking, not just password cracking.

Once this warning message is received by the G Suite administrator, the recommended course of action is as follows:
  1. Immediately change the password
  2. Assign super administrator role to another user
  3. Turn on Two-Step Verification
  4. Use the hacker’s IP (identified by Spinbackup), to determine the Internet provider of this individual and send a complaint of the malicious activity
  5. Add the hacker’s IP to the blacklist.

Spinbackup is currently working on implementing a new security feature that will automatically block the IP after a suspicious number of login attempts.

Protecting G Suite From Malicious Attacks

This case is just one case that illustrates the issue of unauthorized access to the G Suite admin account and how this may potentially lead to immense losses for the company.

If a regular G Suite user account is hacked, only this individual user’s G Suite data might be deleted and/or stolen. If the Super Admin account is hacked, all domain users’ accounts and their data could be deleted, i.e. cyber-criminals could gain access to ALL corporate information. In addition to the possibility of all corporate data being stolen, there is also a significant chance that it could be lost forever if there is no automatic backup system in place.

Google does send automatic alerts about suspicious login attempts, however, this is not always useful as the alerts are sent only to the account that is under attack. If the attack occurs at a time when no one is monitoring the email, hackers could potentially gain access to the account and erase any notification emails before they are noticed.

The solution to this issue is to use the Security Alerts feature in Spinbackup, set to all risk levels for several emails and slack.

The corresponding warning message from Spinbackup looks like this:

Spinbackup alert login failed
If you ever receive a warning message in this format from Spinbackup, you should respond immediately by taking the steps listed above to secure your account.

According to IBM, there are 1.5 millions cyber attacks each year, which is about 4,000 attacks per day. Juniper Research predicts they will cost businesses $2.1 trillion in 2019. Increasing users’ awareness of most popular and dangerous cyber attack cases can help to fight the problem. By implementing G Suite security features such as Security Alerts, businesses can stay informed about suspicious activity and take immediate action to protect their accounts.

If you have faced any similar issues involving attacks on your G Suite account, please share your case with Spinbackup and the community. Describing the situation, the actions you undertook, and the ultimate result of the hackers’ attempt can help other users to protect themselves from similar attacks in the future. It can also give Spinbackup more information about attacks, which can help enhance G Suite security and threat detection and response in the future.