I just received a mostly usual SMS starting with "Your Google verification code is…". Only mostly, however, because:
- I definitely didn't attempt a new sign in with Google in the last hour.
- I have changed my 2-step auth settings to use an app instead of SMS, though SMS is still a backup option.
- The verification code is very long – instead of 6 characters it's about 50 at the very least, and it contains letters, including caps, numbers and a slash – it essentially looks like it's supposed to be used by an application.
- This number has not been used before to send me verification codes, although it has the same country code and the same number of digits.
I have checked my recent activity (that link would be your recent activity, actually), and I don't find anything remotely suspicious (does this include failed login attempts, by the way, where the verification code was not entered?).
I'm pretty sure my password is secure and has never been revealed to anyone, nor written down, nor reused on another service, nor entered on a device that does not belong to me. But the first two issues with this supposed login attempt might be a good reason to change it, just in case. However, I've never encountered the verification codes that long, so I'm starting to think it's not an actual login attempt and someone might be just someone having fun with SMS.
Please help me decide if there is a possibility my password was compromised.
P.S. I don't think I'm important/rich enough for anyone to be after my account, especially to a degree where they'll go through the trouble of overcoming two-step auth.
Best Answer
I recently got a similar message, "Your Google verification code is" and then an unusually long verification code (much more than the normal six characters you get through 2 factor authentication).
An hour or so before, I had used the Hangouts app and tried to verify my phone number. The first attempt failed, and for unrelated reasons I restarted the phone and then tried again, and succeeded. This made me suspect that it is related to verifying your phone number in Hangouts.
I googled a bit on this, and found the following which seems to confirm that this kind of message is normally not meant to be visible to the user. Instead, it's supposed to be caught by the Hangouts app itself when verifying your number:
(from the TextSecure GitHub page)
I suppose the first verification attempt failed because the SMS message was delayed for some reason. Then I tried again, and Google sent a verification code that was received by Hangouts and never displayed to me. Finally the first verification message arrived, much delayed, but then Hangouts was already done with verification, and thus showed it as a normal message.
My guess is that this can happen if the Hangouts verification process fails for some reason, and in that case should be benign. However it's probably prudent to double check your account activity and security settings anyway.