UPDATE: Kurt Wismer has just reminded me of a very apposite blog he posted in 2007: http://anti-virus-rants.blogspot.com/search/label/single%20sign-on.]
A little more information further to my earlier blog. The H (Heise) gives us a number of links to its earlier stories about the Google compromise and tells us that Google have declined to comment on the New York Times report.
I also meant earlier to give a link to a site that suggests ways of taking remediative steps if your Gmail or Google account is compromised, i.e. towards getting back control of your password. Unfortunately, the first won't work if the attacker has changed your secondary mail account (or you no longer have access to it), and the other two require you to have information on account setup dates that not everyone will have. Still, a starting point…
Dan Raywood also comments for SC Magazine at http://www.scmagazineuk.com/googles-gaia-password-system-was-infiltrated-during-january-attacks/article/168356/.
David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at:
Author David Harley, ESET