Is Ghost in Azure leaking email passwords or is Gmail warning for nothing?

Question

Yesterday I created a new Ghost Blog website from the Azure website gallery. The installation there asks for Gmail account and passwords, and like any security fanatic I gave my personal gmail account information (mistake #1).

Everything went nicely and got the blog up and running in no time.

Moment went and I got an email from Gmail saying that there has been suspicious log in to my gmail account from Taiwan. Google blocked this login and I made quick password change.

Today I repeated everything, but created new account to gmail to test things out. Same thing happened, but this time the login was from unknown location.

I scanned my computer for keyloggers and didn't find any.

Is it just Google being cautious and warning that the Ghost is trying to send mail and performing login while doing it? Or are those passwords leaking? They are in clear text format in the ghost configs?

Edit: Screen capture of the Ghost Setup in Azure

To my knowledge this seems totally normal Azure configure step.

Answer 1

The password is stored in clear text in the config.js file, but that is just fine because the file is not accessible from the web.

The reason why GMail complains might be that, in order to send mail, Ghost has to log in to your account with your password. In this case, requests are not coming from your personal computer, but from the Azure server that is in a data center somewhere.

But it's probably not the best idea to ignore the warning, because somebody might have actually breached your account. I would simply use another service for Ghost (like Mailgun).