On Google Account Security, Trustfulness and Dependence

Today I received a very strange email in my personal gmail address from gmail itself:

O seu endereço secundário, “my-personal-address”@gmail.com, está associado a:

“xxxxxx”@gmail.com
“yyyyy”@gmail.com
“zzzzzzz”@gmail.com

Para efetuar login, clique no link abaixo.

http://www.google.com/accounts/
Se você clicar no link acima e ele não funcionar, copie e cole o URL em uma nova janela do navegador.Obrigado por usar o Google.

Em caso de dúvidas ou preocupações em relação à sua conta, visite as Perguntas freqüentes (FAQs) do Google no endereço
http://www.google.com/support/accounts/

Esse correio é apenas para envio de mensagens. As respostas para essa mensagem não serão monitoradas nem respondidas.

Which roughly translates to:

Your secondary email, “my-personal-address”@gmail.com, is associated with:

“xxxxxx”@gmail.com
“yyyyy”@gmail.com
“zzzzzzz”@gmail.com

To login, click on the link below.
http://www.google.com/accounts/

However, only the first address is known to me. I remember creating it to test a web project for a university class last year. But for the others, I have to ask: How did those people add MY personal email address as their secondary email?

 

I’m pretty sure my personal account is safe and has not been compromised. I switch (strong) passwords often and always take care when and where I insert my credentials. Could this be an error within GMail itself? I always thought GMail required secondary email addresses to be confirmed before they could be linked with an account.

 

I’m getting worried because I just realized GMail accounts often aren’t just email accounts. They are much more. They form the online identity for a lot of people. Through Google services, they hold financial, health, social and content information. They are often the primary identity in sites such as Twitter, Facebook, LinkedIn and many others. Gosh, I know business which run with GMail addresses. For some people, losing a Google ID would mean starting life over.

I think Google has acquired a lot of responsibility those days. And I hope they can handle it well and wisely, as I (and almost everyone else I know) trust Google to handle a lot of their personal data.

 

On a final note, I strongly suggest Google to start researching ways to identify people other than just asking passwords. I have to use 2048-bit cryptographic keys with unlocking pass-phrases to access my remote hosts; why would I continue using passwords – even if they are strong passwords travelling within SSL by default – to access my – much more important – personal data?