This is super easy to do accidentally if you log into Google while simulating a mobile device in Chrome devtools, because your user agent string tells Google what device you are using.
Does it always send an email, or just when the connection is coming from an unexpected place? e.g. new IP address, unusual time, different cookies, e.t.c.
A changed user agent on a browser is pretty small, it wouldn't surprise me if Google didn't email for things like that.
Right, but the UA also includes the browser's version in it. If you change from Chrome to Safari you're indeed using a different browser. If Chrome's UA gets updated from say "Chrome 45.1.1.1.1 WebKit" to "Chrome 45.1.1.2.0 WebKit" it shouldn't really care. To be more clear in the case of changing browsers it detects this chnage via cookies, not by UA string.
Sure, if it was me logging into someone else's account (and there had to be some conscious effort based on his random password), I'd log in and delete the email immediately. Delete from inbox, delete from trash, refresh.it seems like you would notice that but no one spends 24 hours a day looking at their email. It probably wouldn't be that hard to slip by the best of us.
That's what two factor authentication is for. And not emailing the same account for login notifications. I just don't find this to hard to believe.
"I use a secure password algorthym." Maybe my notion of secure is wrong, but I didn't find it particularly secure ("Ensure your system always gives you a password between 8 and 9 characters long") or even convenient (absolutely no mention of password managers, system is based on memorization).
And then moments later: "I currently don’t have two factor authentication."
Just seems like there's two people behind this post: one who is concerned about security and one who doesn't fully leverage tools to enhance their security.
Not ragging on the author. This just stuck out at me. I'm genuinely curious and would love a follow-up if author can discover what happened.
The author reads like they have a pretty high sense of self worth, which rubbed me the wrong way. Your comments which I noticed myself, and the other post they linked to about moving off of Gmail and onto a postfix/dovecot self-hosted stack and the drivel about Gmail and Facebook having a long history of unfederated services and then at the very last paragraph almost casually mentioning that Outlook.com, Gmail and Yahoo seem to consistently flag mail coming from their server as spam.
I've run my own postfix/dovecot stack since 2004 and have never had the same problems, but a sample size of two is a poor pool to derive results out of. I wouldn't be surprised if their email server might have been configured as an open relay accidentally at one point, or even a neighbor on the same or near the same subnet been a flagrant source of spam. Coming from nothing, mail servers are somewhat hard to get running correctly and securely. Much more so than standing up Apache.
I would also like a follow up, as there seems to be a very skewed story, or some kind of information is missing about both of these situations.
Quantitatively, how much more secure would using two factor authentication be over what the author is doing?
Edit: Assuming that someone only crafts 9-plus-character passwords that don't show up in dictionary attacks and aren't reused across sites, is 2FA going to secure that person much more? I'm not challenging 2FA. Actually, I'm just trying to motivate myself to use it.
There are entire classes of attack that 2FA protects against that you are completely screwed without. Some examples: You use a computer that has a key logger, or you get infected with a key logger, or a hardware key logger is installed inline with your keyboard cable. Someone shoulder surfs you while you log in. Someone points a video camera at your keyboard while you log in. Someone uses an RF vulnerability to wirelessly snoop the RF signals as you log in on a keyboard. You get phished (a good phishing page, not a pathetic one). You get tricked into entering your password into a popup dialog box that appears to be a "Log in with your Google account" dialog, but isn't.
Sites can log invalid password attempts, and unscrupulous sites could include attempted usernames and passwords. That basically gives them a dictionary of accounts to try, because let's face it, most people use the same password for multiple services. Sometimes people's muscle memory kicks in and they accidentally type their password into the wrong site, or the wrong field.
With Google's 2FA, you need access to either a pre-printed list of emergency codes, or the ability to see the person's incoming texts. That's where the "if done properly" caveat comes in. Google Voice is generally a bad idea. If someone accidentally gets into your email because you left it open, they also have access to your incoming texts.
I'd like to respectfully disagree. When done correctly, Google Voice can be as good as if not better than a traditional cell phone. I treat my email with more care than I treat my bank accounts. However, Google Voice is probably not as good as the app on your phone though.
The most likely explanation is that one of his devices visited YouTube over HTTP (not HTTPS) and his ISP "helpfully" installed some kind of caching proxy that returned the wrong cookies to the wrong user. ISP have been known to cause mixups like that when cranking up caching aggressiveness to 11.
The ISP might have return his cookie to someone else running iOS. The fact that it only happened for a few hours might be explained by cache expiration.
If ISP's are returning cookies from the wrong users, wouldn't it also be possible for login credentials (stored within cookies) to be returned as well?
Login cookies are usually sent over HTTPS. Check your browser's cookie store, you'll see that Google services use so many of them, also because of the many hostnames and domains they are on. I suspect YouTube cookies because you can't use google.com ones directly on its domain. And the console mentions devices that have been used with the account, not that have been logged in or have attempted to do so (an important distinction), which points again to cookies. If he used Chrome or another browser supporting ChannelID, such a mixup would have no consequence, because Google's GFE would detect the situation and mint new cookies or redirect the user to a login page.
At no point should the ISP know his or any other user's cookies. If youtube is at all set up correctly, login cookies would be marked secure and only sent over https.
This would be a valid point if not for the fact that Google forces you into using the same login across its sites in the same browser session. It's not really practical (without going to greater lengths than just using 2FA to begin with) to use a different/no login on youtube than the rest of the Googleverse.
One possibility is the author logged into an iOS device to check it out - e.g. one of the devices Apple stores have lying around for people to test out - and then forgot to logout, so when other people used YouTube on the same device, their views were logged under the author's account
(EDIT): Left my slightly off-topic comment below as it may be useful to some people anyway; as the two child commenters pointed out, this doesn't necessarily relate. It seems as if this was an attack, the non-gmail email must have been compromised as well as I don't see a way to turn off these notifications.
From what I have seen assisting others with compromised Google accounts (most likely due to a phishing attack, but unconfirmed), emails that would give away the compromise are usually deleted---either manually or via a filter[1].
Sometimes these deleted mails can be retrieved because they not purged completely, but deleted mail does not show up in GMail search.
[1]: If you believe your account has been compromised, check your email filters, I've seen weird delete filters added to accounts.
But the email address on his account is not Gmail, so an attacker would have had to separately compromise his non-Google mail server to do achieve any of this.
I should have said, despite the fact that it doesn't fit in this specific case, your overall advice is very good. This is quite common and definitely something people should be aware of.
I had one interesting incident.. I was not able to access my twitter and gamil account both. The twitter account was associated with that gmail account. I had same password for both of them. I was able to recover my gmail as the attacker did not change the recovery email in my gmail account. And hence I could recover the twitter account too. Then again I set the same password for both of them. Next day same thing happened again. Then recovered both and set different password and since then it is fine.
I wondered how someone could hack so easily. The passwords were not easy and I can not believe that anyone could guess that. I also checked the last access time in gmail and there were no suspicious activity there.
I'm curious to know what the author's gmail address is. I've experienced bad behavior with the ability to add or remove dots from the mailbox name. Apple (amongst some others) allows people to register iCloud accounts using unverified email addresses. It is obviously a big leap to think the YouTube app would respect the iCloud username.
This is a long shot... But if you use Linkedin that could account for some of the videos. They recently added an autoplay feature for their videos on the home page that is very tedious to shut off. If you're logged into youtube on the same device it will play the videos and show up on your played videos on Youtube.
First verify you don't have an iPhone (or whatever) in your recently used devices: https://security.google.com/settings/security/activity
Now go back to recently used devices and you should see the new device.Occam's razor implies PEBKAC.