The Atlantic: Gmail Account hacked!

Via Tidbits I found a story where James Fallows from The Atlantic

describes how his wife's Email Account was hacked

what they went through to recover years of stored messages. It’s a compelling tale that will hopefully bring home the need for secure passwords and offline backups of cloud-based data.

The beginning of the Tale

She ... logged into her Gmail account with enormous relief, which lasted perhaps five seconds. When she looked at her Inbox, and her Archives, and even the Trash and Spam folders in her account, she found—absolutely nothing. Of her allocated 7 gigabytes of storage, 0.0 gigabytes were in use, versus the 4+ gigabytes shown the day before. Six years’ worth of correspondence and everything that went with it were gone. All the notes, interviews, recollections, and attached photos from our years of traveling through China.

All her work and private correspondence was gone.

Excuses, excuses

This was a loss whose sweeping magnitude was possible only because my wife had entrusted her data exclusively to the most professional of pros: Google’s operation in the cloud. If we had thought that data security was strictly up to us, we’d have made backups of some sort to limit the potential damage—much as we would lay in our own firewood and keep our own chickens and cows to be sure we’d never freeze or starve if normal supplies were cut off. In my own version of Depression-style thinking, and with that lightning strike in mind, I had always made triply redundant backups of anything that mattered to me, including e‑mail. Local on-disk backups of Gmail archives, via programs like Eudora and Thunderbird—or both. Online backups of those local backups, through SugarSync and Dropbox—and then more local backups on my other machines. But my wife had trusted the cloud and Google. And now?

In Google we trust??? Really? They don't even have support people you can talk to. No backup, really?

Data Recovery - Google style

Perhaps the most startling thing I learned at Google about my wife’s case was how “lucky” we had been. Lucky not in having friends we could turn to in the otherwise automated and unapproachable Google edifice—though, of course, we were—but simply in the timing of the attack. If this had happened six months or a year earlier, or if it happened even today at most other e-mail services, the archives would likely have been gone forever. It was only because of the Undeletion Project that recovery, although slow, was feasible at all.

And a bit further down as justification for the "new" Undeletion Project:

But according to Google’s legal department, its higher and more stringent duty is to ensure that messages are erased, if whoever is in charge of an account wants them gone.

The Morale of the Story

The outcome for the author is to make stronger passwords. But there is a reason why users have simple passwords. The human brain can't store more complicated or even more passwords. What we need is a better way to manage passwords and then a better way to manage security. For myself I'm using Wallet to store my passwords. It's only one click in the browser to enter user name and password. But I also keep multiple backups in different locations of my most important data.

Google is known for not having people available to talk to. Why would I trust my professional correspondence to a company without support?

And finally: you are always responsible for your own data.