So I fell for a phishing
In a moment of distraction, I fell for a phishing phone call and compromised my Google account. It took me 13 minutes to realize how catastrophically stupid I am and begin frantically changing passwords. I've run the official Google "secure your account" process probably 10 times (though 9 of those times there was nothing to do). I've checked all my financial info, changed passwords on all sorts of things. As far as I can tell, other than gaining access to my Gmail, I don't think anything else was compromised.
How boned am I? I've got 2FA on basically anything remotely important, and I've had decent password hygiene (although I do use the Google password manager, so that's probably comprimised). Is there something else I should do or be on the lookout for?
Maybe look through Gmail settings for anything suspicious? For example, make sure mail isn't being forwarded anywhere.
I would also check "linked apps," "your devices," and "app passwords," as these are all ways someone could potentially maintain access to your account even if you change your normal account password and have 2fa enabled.
Sorry to hear that! I don’t have advice for you, but I’m interested in the details of the phone call so I know what to look out for if you don’t mind sharing.
First of all great job in recognising it (better late than never!) and staying calm enough to secure your account quickly.
I'm curious what they asked you to do? They triggered an MFA event and got you to enter/tell them the code?
The Google thing would have invalidated all active sessions, kicking them out of anything they could access. The two things that might be an issue are (1) can they get back in, and (2) what could they do with the info they saw.
Regarding (1), I would double-check they didn't add a new MFA device to your account or disable the MFA option. That's pretty much the only thing they can do to regain access other than phishing you again.
For (2), I'd keep a watchful eye on your bank statements for any transactions you don't recognise, at least for the next month or two. If your profile has lots of personal info on it (addresses etc.), also keep an eye out for indicators of identity theft, like unexpected letters or your credit rating suddenly dropping.
I don't think there's much else you can do at this stage other than keeping a keen eye for anything suspicious, I'd be curious if other people here have ideas (edit, @skybrian and @rudism note some great things to check, in line with (1)). If you do see something, I'd advise getting in touch with your bank/local authorities just in case.
Fun fact, phishing via a phone call is known in the industry as "vishing" (voice-phishing)!
In the U.S., if you suspect your identity is at risk, you should place a freeze on your credit reports with all three reporting bureaus. This will (hopefully) prevent new cards from being issued in your name under someone else's control. It can be a pain to unfreeze everything again quickly, but it's good security to keep your credit records frozen until you know there will be an event where you have to intentionally give someone access (job or housing background checks, etc.).
You can also (usually) set up a maximum single transaction withdrawal limit with your bank, and notifications for any withdrawals above a certain threshold.
I hate to say it, but it might be good hygiene to notify everyone in your GMail contacts to be suspicious of messages that apparently come from your address for a while. Account access isn't just about hijacking, it can involve harvesting your network to gain access to higher value accounts.
I believe this is best practice these days even if you don't suspect issues. It's easier than ever to manage the freezes, so it's kind of simple to keep it locked proactively. Mine has been locked for over 5 years now