You can stick your head in the sand if you like, and ignore that there might be a problem, but there are too many ways for this to happen to just rule it out.

And yes, I am human, I might have made a mistake and didn't notice that SSL was gone.

I having a hard time using my humanity as an excuse for your rudeness.

Do these steps from a machine you know (know, not believe) to be secure:
1. Change your gmail password. Do not tell it to anyone. Not even your spouse.
2. Change the address of you alternate email address to an address you know to be secure.
3. Go to gmail. At the bottom in fine print there should be something that explains the latest activity on the account. It should have a "Details" link. Click it. A popup window will appear. Click Disconnect all other sessions.

After these steps:
Monitor your gmail like a hawk for a month at least to ensure there's no funny activity.

If you think your phone is compromised. Reflash everything down to emmc before you attempt login to gmail.

I am more inclined to believe that your desktop/laptop is compromised - because the n900 is not a "famous" enough target to install keyloggers / rootkits. The ROI is in most cases not worth it.

Some of these steps sound funny (paranoid) even when I read them, but for me they are important because my email account is effectively a gateway to almost everything else I have.
I cannot afford to have it be compromised.

Well, after all these years, it looks like an online account of mine has been hacked: Youtube. I can no longer log in, and today Youtube asked me to verify I wanted the password changed.

Crap.

Not sure how to fix this...

This thread has made me rotate my passwords on all of my online accounts.

It's a good idea to do that every once in a while.

To OP:

I'd look back if I've used any computers in public places (likely targets), or anything running windows (likely targets).

Targeting N900 users would mean targeting so small total amount of users it wouldn't make sense to most hackers.

And really makes me wonder about OpenID...

I believe that it was GA here that was first to have shown the security concerns for OpenID around here. Not sure, but I've seen concerns.

I used to rotate my password - non-dictionary, complex (uppercase, lowercase) with at least two special characters - once per 120 days. I just rotated and since last year have done so only once per 180 days.

You guys just prompted it today for all but my throwaway accounts.

just rotated mine. had something similar with the gmail thing happen the other day. i do usually check and see if the account is logged in somewhere else but recently had been using gmail mobile. in the middle of a gtalk chat, the account was temporarily suspended due to "suspicious" activity. had to change email passwords.....just changed EVERY password that i used.

Interesting information guys!
Thanks for letting me know, I'll restart the brute force loop.

Easier said than not done.

I have almost typed my FB credentials to a phishing site once, after following a link from authentic looking email notification to authentic looking login page. The only thing that was wrong was the URL.

Edit: needless to say, I've been more careful with clicking links in e-mails ever since.