In gmail someone has your password for the web host email, what would you do now?
I received a confusing email from Google today. It had the subject 'Critical security alert' and the body said in part 'Google has become aware that someone else knows your password, and we've taken steps to protect your account.'
Apparently these are legitimate, and I've confirmed the links and message headers don't look like a phishing attempt.Image: The odd thing is that the email address listed is not a Gmail address - it is an email associated with one of my web hosting accounts. We fetch mail from this account via POP3 into our Gmail account.
The text is unambiguous - they state plainly they know someone knows the password to this account. But how? Google has no special access to the account. They presumably have the plaintext copy of the password available for POP3 authentication, so if there was a data breach on this storage at google then I guess that's one way, but I'm coming up blank on anything else. And the text 'sign back in' sounds like they meant to send it for Gmail but I don't know how to ask them.
Even if my poor security hygiene meant a third party had access, how would Google know?
As the question assumes, in gmail someone has your password, so Google has the password for the POP3 account; it can check the common password dumps if the password is known publicly. They don't claim that somebody is actively using the password with your POP3 account, only that somebody knows it. And they urge you to change the password to protect your account.