Phishing phollowup
Did the phishers get access to all our email? Did they have the time to download all of it before we revoked permission? Does revoking permission stop their scripts from downloading email? We could use a lot more info.
by Dave Winer Thursday, May 4, 2017

We did not get a clear statement from Google re the exposure of users who fell for the phishing attack. They did access our email, yes? Can we get any info about how much they read? Does Google keep logs? 

Suppose I disconnected all connected accounts. Were the phishers still able to access my account after I cut off permission? Did their script stop working? I suspect not because when I cut off Chrome it seemed to still have access to information in my Google account. 

There's a lot that we don't understand about how Google uses permissions. Usually it's not crucial, but today, if you fell for the trick (as I did) it's very important to know how much exposure there was, and perhaps continues.

Assurances that they've protected about this in the future isn't very consoling if you're exposed right now. 

I have to say the work that professional reporters did on this was totally inadequate. Mostly just rote security theater. Change your Google password, enable 2-factor? These have nothing to do with a phishing attack. Our passwords were never exposed. If anything you should change the password on every account but Google. (Of course it does no harm to change the Google password, and I did. But more important to change passwords on accounts that communicate to you through GMail.)

Google could help us in ways they haven't. A three-tweet advisory is not enough for something this serious. If I was able to take time to write a blog post explaining what the exposure is, then a company the size of Google can do that and should do much more. 

PS: I have an idea how influential Google is. I feel some trepidation in criticizing them. I imagine reporters whose livelihood depends on access to Google have even more at stake. We have to go through that fear. Google doesn't need protection from us, for now we need protection from Google more.