Google Account Hacked

Hello, me and my wife are facing a serious issue in Google account. About year ago, we accidentally found out when we were checking her Google account security that some "Samsung" phone was in the list of her devices. She doesn't have Samsung phone. We of course forced it to sign out and changed her Google password into very strong one. We also enabled all the security measure we could (2 factor authentication, Google prompt, SMS approval and etc). We thought, we finally did out best, but seems like I was wrong. Three days ago, she received email from the Google that said this:

"New sign-in into your linked account. Your google account was just signed in to from a new OnePlus 3T device. You're getting this email to make sure it was you. Check activity."

We checked activity and in devices, we see that there's some OnePlus 3T phone which we don't have. I again, forced it to sign out, changed password again (but previous password was already very strong). I also clicked on "show IP address", and I was very surprised to see our IP address there. I'm not very good in network, so I asked in another forum too and people told me that someone might be penetrating our router and that's how he hacked her account since it showed same IP address as our computers. Now, about routers in my house: We have two routers. One, main is ZTE brand that was provided by my ISP that is source of Internet and we also have another one - TP-Link which is a wireless router and acts as an access point. My computer and TV gets Internet through that router, however my wife's computer and my mother's computer get Internet through the main router. I entered in the panel of TP-Link router. It had default username and password (admin/admin). I changed it into strong username and password and I also upgraded it's firmware and I also changed our WIFI password into strong one. I also talked to my ISP. He told me if attacker attacked our router, he would attack that TP-Link, not that ZTE, however my wife's computer gets Internet from the main one and she is also using Google Chrome profile in my computer too, so she is logged into her Google account in her computer, in my computer and in her phone.

I am thinking how this person could hack her Google account. He didn't change anything, he just logged in, but what is weirdest thing in all this that when her Google account was logged in with those phones, we never got notification in her phone to approve login. When you enable 2 factor authentication and Google prompt in your account and when you try to sign-in in your Google account from the new device, you get notification in your phone and you can approve or reject that login there. She NEVER received such notification in her phone, so this person bypassed this somehow. I have no idea how is this possible. I also don't know for sure from where attacker made this attack, through router or maybe from some application in her phone or computer? But if he would do it from these sources, how he had our IP address?

I don't know what to do. Any advices? The only thing I have in my mind is to buy longer cable and connect her computer to the Internet through my second router (TP-Link), which I secured much better yesterday? I think it's a good idea, yeah? What else I can do? I tried to contact Google support about it, but they don't have support, just some useless articles that don't tell me anything new I don't know.

Samuria said:

The best option is to set Mac address filters on both routers that's only lets known devices connect. Have you changed the routers password that needs to be strong 20 characters.
They often go for email password as that gives them access to other accounts often they will try to login to Facebook click forgot password and it then sends a password to email which they can login with they then delete the email.

Check your email bin to see if there any you don't know about

I didn't do it, but I will definitely check router's settings and if I find such thing, I will set MAC filters like that. I changed password of second router to something difficult, automatically generated, I think it was 16 or 18 characters generated. I can change it to 20 characters if it helps. I didn't touch first router settings yet. My ISP gave me username and password of it yesterday and it was late. I'll check it's settings today evening when I go back home. My wife's email password was strong too, at least 14 characters automatically random generated letters and symbols. How this person managed to hack it so that she didn't get Google prompt notification or codes from her Google authenticator... It's an enigma to me. I'll check her email trash bin later, but if hacker deleted email, he would probably delete it from bin too, permanently (if he's smart). He didn't change anything. It felt like he just wanted to be unnoticed.

Do either of you use an Android phone, and perhaps Bluestacks? BlueStacks - More than an Android Emulator, Fast & Secure
If so, you are not alone. It seems that bluestacks may identify as a "OnePlus OnePlus3T". See Google thinks my router or new computer is a OnePlus 3T and shows up under Find My Phone - Google Account Community

Note I use neither Android nor bluestacks, so am just guessing!

mngerhold said:

Do either of you use an Android phone, and perhaps Bluestacks? BlueStacks - More than an Android Emulator, Fast & Secure
If so, you are not alone. It seems that bluestacks may identify as a "OnePlus OnePlus3T". See Google thinks my router or new computer is a OnePlus 3T and shows up under Find My Phone - Google Account Community

Note I use neither Android nor bluestacks, so am just guessing!

Wow. I just asked my spouse about this, when I read your post and she confirmed that she installed this Bluestacks or whatever is that and I asked her when did she do this and she said Saturday, 26th, exact same date when she got this warming. Wow, you just freed me from a lot suspicions and thinking, I was going crazy, thinking who would this be and how he would do that. Thank you again.

It may be immodest of me, but a thanks (bottom of post) would be most welcome! Glad to help. For the record, all I did was type 'Your google account was just signed in to from a new OnePlus 3T device' into a well-known search engine' and it was the first result on the list - so you should really thank that search engine. Martin