GMail has gained high levels of popularity for a lot of good reasons - large amounts of free storage, contextual threading of e-mails, comprehensive labelling and tagging as well as instant messaging and piles of options, most of which are never used by the majority of casual e-mail users.
However, it is in these configurable options that the real value (as well as the real danger) of GMail lies.
If you have a GMail account, you can access Google Analytics for your web sites and you can gain tokenised access to other systems such as your YouTube account or your Flickr profile. If someone gets your GMail credentials, they've also got access to your Analytics, Flickr, YouTube and other associated accounts.... but that's just the tip of the iceburg!
Google docs provides a powerful collaborative document management system. You can upload and share spreadsheets, documents and PDFs including confidential commercial material. GMail's latest pop-up message in Google Docs reads "New! You can now upload folders - Upload entire folders from your computer to the cloud". All of this is accessible from your single GMail login credential, but it gets worse, much worse.
The following tutorial teaches you how to transfer all new e-mails from a GMail account you've compromised to another account of your choice whilst leaving the transferred e-mails in the GMail inbox apparently untouched:
From the GMail inbox, click on Options - Mail Settings
Click the Forwarding and POP/IMAP tab
Click "Add a forwarding address"
A pop-up will request the address you want to forward to. Fill in the details and GMail will send a confirmation e-mail to the address that you nominated.
Within the inbox of the nominated address, open the e-mail from GMail and click the confirmation link
Go back into Options - Mail Settings in GMail and click the Forwarding and POP/IMAP tab and you now have forwarding options.
These options include "Forward a copy of incoming mail to email@example.com and Keep GMail's copy in the inbox"
Now you'll receive a copy of everything that is received in the GMail inbox you've targeted forever..... even if the owner changes his password! Since most GMail users don't even know this facility exists, the chances are that the breach will go undetected for a very long time.
So, as a GMail inbox owner, what can you do to prevent breaches:
1 - Don't use trivial passwords and change them regularly.
2 - Don't use common passwords for different accounts.
3 - Check your user settings to make sure no-one is taking a copy of your inbox. If a forwarding e-mail exists, it can be cancelled in the same panel.
4 - Commercially sensitive documents should be held on company servers and accessed using remote access and strong authentication. Web-based e-mail systems with weak security are not the place to be storing or sharing mission critical data.
You can read more on the recent GMail hacks below:
Chinese Google Hack Drives Extra E-mail Security Vigilence
Five Steps To Reduce The Chances Of Having Your Gmail Account Hacked
One-Time Password Can Provide Improved Protection To Web-Based E-Mail