I got a call this past weekend from a friend in a mild panic. Her Gmail account had been compromised. She only found out because mutual contacts started calling to ask what the heck she had sent them. By the time we sat down together to assess the damage, the attackers had already been in the account long enough to do whatever they came to do. We could see the timestamp of when they got in. What we could not see was anything else. No activity log worth trusting. No administrative controls to review. No forensic trail to follow. Because it was a free account, and free accounts do not come with those tools.
That part was frustrating. What came next was genuinely alarming.
She had a password manager, which is the right instinct. She also had a habit of saving passwords directly to her Chrome browser, which quietly undermines the first thing entirely. When your browser is signed into a Google account and that account is compromised, the passwords synced to that browser have to be treated as potentially reachable by whoever is now sitting in that account. Every site, every login, every account she had ever saved in Chrome had to be treated as exposed. That is not a small list for most people.
Then we looked at what accounts used that Gmail address as their recovery email. Her bank. Several financial platforms. A couple of business tools she used regularly. That is the detail that kept me up a little. Because an attacker sitting inside someone’s email account does not need to know a single password to get into the accounts connected to it. They request a reset, intercept the confirmation email before it ever surfaces in the inbox, and they are in. The victim never sees a notification. Nothing looks wrong until something is very wrong.
Here is the business version of that story, and I will be direct about it because I see it constantly. A business owner signs up for Gmail when they are starting out because it is free, it is familiar, and there are more pressing things to spend money on. Reasonable call at the time. Three years later, that same Gmail address is on their proposals, their vendor contracts, their client correspondence, and their LinkedIn profile. It is also, without anyone having made a deliberate decision about it, the recovery address for their accounting software, their bank login, their domain registrar, and whatever else got set up along the way. The free decision from year one is now load-bearing infrastructure.
When that account is compromised, it is not just an email problem. It is an everything problem.
A business email account through Microsoft 365 or Google Workspace is not just a professional address, though that matters more than most people give it credit for. The more important difference is what you can actually do with it. You can require multi-factor authentication across every account in the organization and enforce it, not suggest it. You can see a genuine activity log when something looks wrong. You can revoke access immediately when an employee leaves or an account behaves suspiciously. You can layer identity threat detection on top of it, which monitors for the signs of a compromise before the attacker has had time to do what they came to do. With a free account, by the time you know something happened, the window for any of that has already closed.
My friend is fine. She spent the better part of a weekend changing passwords, locking down accounts, and notifying people. Those passwords she had saved to her browser were the part that cost her the most time, because every one of them had to be treated as known. The attackers may have gotten nothing of consequence, or they may have gotten something she has not discovered yet. That uncertainty is its own kind of cost.
The businesses I worry about are the ones where that weekend is not just an inconvenience. It is a client notification obligation, a potential regulatory conversation, and a question about what the attacker now knows about their customers, their pricing, or their operations. All of it tracing back to an email platform that was free, and felt like a reasonable place to save a few dollars.
The cost of a real business email account is a few dollars per user per month. I have never once had a client tell me it was not worth it after they understood what the alternative actually meant.
If you are running your business on a free Gmail address, or if that address is buried somewhere in the account recovery settings for the systems that matter, that is worth a conversation before it becomes a weekend you did not plan for.
I am easy to reach. (910) 444-0594 or dusher@cmitsolutions.com.
Until next time – keep IT simple.
Dave
