e-mail Account hacked?

[donm]

There has been, of late, a fair amount of news, etc regarding a person's e-mail account (free or paid web mail based account) being hacked (particularly Yahoo and even, although less frequently, Google's G-mail). (It does seem, from what I can gather, that Google does update and does enhance security issues).

I am not an IT expert, but is has happened to me, so I did as much research as I could, on the issue/s.

What happens is that the hack occurs on Yahoo (or Google's) side; your e-mails and importantly, your contacts are stored there. The hack reads all your contacts and sends them spam mail; this spam mail appears to come from your e-mail address. The result is that companies/organizations, etc with sophisticated mail systems/clients will reject the spam e-mail (which is using your address) and importantly can "blacklist" and reject future genuine e-mails that you may send to them. (You should then receive an e-mail notification that your e-mail was undeliverable; you can at least then see/realize that your account has been hacked. Obviously, this is a problem for you now because now your communication to these companies/organizations is effectively "cut off". (mail can also just be "manually" "blacklisted" by less sophisticated mail systems/clients).

The most common (almost only) advice I have been able to find, on internet, is (1); to change your password. However, this has reportedly met with various degrees of success and accounts have been hacked again thereafter.

So I figured, what else is there? I also did see that on your e-mail settings, that (2); you should disable other applications (like, for instance Facebook), access to your contacts. (I, by the way, do not use Facebook, or other "social" apps, because I personally do not really trust them).

I figure that if the hack uses your contacts, then doing the following also, should help/be a solution: (3); deleting all your contacts (on your e-mail account) and (4): disabling your e-mail to automatically add new contacts when you send an e-mail to a new person/account.

(You could then use some other non-web based app to store your contacts and then then paste the address when writing an e-mail; bit of a hassle maybe, but better than having your account hacked).

This is written from a "layman's" perspective and I hope I have the facts straight, but does anyone have some insights into this; or maybe has your account not been hacked (yet)!

[Shempamporash]

many are totally not aware of the dangers of the internet and use funny passwords like 12345, qwerty, peter8, jack1973 etc. etc. this ones can be hacked within milliseconds it's really asking for being hacked sooner or later, they are a danger to themselves and to others because eg. they are the same who don't know how to send a groupmail properly and always click on links in email without thinking, how to store passwords etc. thanks to them their friends are getting spam and viruses etc. too. better check here to find out how strong is your password: howsecureismypassword.net, example of a good password is @C)(%$m44oZ0k%Ar

success ;

[joepattaya1961]

I got "hacked" a few years ago.

I received an email from "Google" asking for a re-newed log in because of updated security policies.

The mail, including Google logo and script (font) looked genuine and without thinking, I signed in..........BINGO!!

The culprits had access to my email-account, emails and contacts.

They plundered my contact list and sent all of them to a new email-account created by them and containing the part before @gmail.com.

Next step: They sent all of my contacts an email stating that I was in Scotland at the time and got robbed from my wallet and passport. In order to get back home I was asking for financial help.

I wasn't aware until one of my business contacts in Germany phoned me, asking if I was allright. He explained why he phoned and my alarmbells went off.

Immediately I contacted Google and the recovery proces started running (took me 2-3 days).

The contacts were lost.

"My" new email (which was created as @hotmail.com) still excists........I couldn't cancel it.

After re-instating my Google account I received several statistics regarding my or the log-ins over the past week/days.

My account was accessed from Nigeria, Kenia and USA while I was for a holiday in Switzerland.

I know, not really a hacker but more a phisher!!

Edited August 7, 2013 by joepattaya1961

[donm]

The password you use is certainly a factor, in terms of how easily a password can be cracked.

However, I believe that even e-mail accounts with strong passwords have been hacked, as described in the original post above. I was curious to know about the storing contacts part of the post?

[donm]

I got "hacked" a few years ago.

I received an email from "Google" asking for a re-newed log in because of updated security policies.

The mail, including Google logo and script (font) looked genuine and without thinking, I signed in..........BINGO!!

The culprits had access to my email-account, emails and contacts.

They plundered my contact list and sent all of them to a new email-account created by them and containing the part before @gmail.com.

Next step: They sent all of my contacts an email stating that I was in Scotland at the time and got robbed from my wallet and passport. In order to get back home I was asking for financial help.

I wasn't aware until one of my business contacts in Germany phoned me, asking if I was allright. He explained why he phoned and my alarmbells went off.

Immediately I contacted Google and the recovery proces started running (took me 2-3 days).

The contacts were lost.

"My" new email (which was created as @hotmail.com) still excists........I couldn't cancel it.

After re-instating my Google account I received several statistics regarding my or the log-ins over the past week/days.

My account was accessed from Nigeria, Kenia and USA while I was for a holiday in Switzerland.

I know, not really a hacker but more a phisher!!

Wow, that's not good! That is an example of phishing; I think we are more aware of it now and regard such e-mails as suspicious to say the lease and definitely do not click on links in e-mails. I did it some back back (on work's network) just to check where the e-mail came from (without filling in any detail) and I could see the bogus site in the http part>

[sustento]

Never click on a URL in an email. If you want to visit a website make sure that you type the URL in yourself.

[schondie]

Nowadays there's no such thing as a good password, crackers can decrypt "salted" passwords within hours regardless of how many symbols and numbers you use. The best way to protect yourself is to never click on any email you're not sure about.

Also Windows and IE are a damn sight more vulnerable to exploits than Linux based operating systems. Linux Mint is a good alternative to Windows for the usual computer stuff - web browsing and typing a few letters etc.

[isawasnake]

I have supposedly been hacked into twice now, both gmail accounts. Gmail sent me a message saying "suspicious login from Kirgistan" or something like that. They were able to detect that I could not be logged in here and there that rapidly or something.

[bangkockney]

Nowadays there's no such thing as a good password, crackers can decrypt "salted" passwords within hours regardless of how many symbols and numbers you use. The best way to protect yourself is to never click on any email you're not sure about.

Also Windows and IE are a dam_n sight more vulnerable to exploits than Linux based operating systems. Linux Mint is a good alternative to Windows for the usual computer stuff - web browsing and typing a few letters etc.

Please don't be a scaremonger.

It took 4 years, 9 months, and 23 days to crack a 64 bit key.

Estimates to crack a 72 bit key are in the order of 100 years.

There is no evidence for a 256 bit key being broken, ever. Perhaps quantum computers, but even then there's little theoretical support.

For reference, a random 12 character password over all printable ASCII is ~79 bits.

[innerspace]

And the OP sounds more like spyware or keylogger than brute force crack.

If you type or save your password on a comprimised machine no password can protect you on its own.

IP or browser lockdowns and 2 step authentication help but with ease of use gone as a side effect.

[thrilled]

I have always heard never open an attachment unless it's sent from someone ya know, along with conversation. The hackers are thinking all the time how to outwit ya.

[Khun Jean]

My safety precautions include cryptic answers to 'security' questions.

A hacker can collect info from many websites and if one of your security questions is 'favorite movie', then it is not hard to guess.

Same for birthday, first girlfriend etc. Many of those thins are online. Also having an email address containing your full name is not the best thing to do. I have one, but i only use it for signing on public websites like this forum. If they hack that then they have zero contacts. Make sure you not use the same password for public websites. If they are cracked then those passwords can be used to try your other accounts.

And never use passwords where you only change the E in a 3 and an I into a 1. That is too easy.

That is just the basics.

[Cheapcharly]

Password or not it s easy to install a type recorder.

These programs are on public computers. It works in the back ground.

It records everything you type.

You never know who is really the guy who run the cyber coffee.

Edited August 7, 2013 by Cheapcharly

[astral]

Firstly password security.

Use upper and lower case characters, plus numbers

Secondly, don't keep your contacts on Google, Yahoo etc

Run an e-mail client like Thunderbird, and keep your contact list on your own machine

[isawasnake]

I have started picking passwords at random, and then kind of memorizing them over time.

here's one example:

oiuevh876

Who can hack that? I know it can be done, but nobody is going to guess it.

[donm]

I have started picking passwords at random, and then kind of memorizing them over time.

here's one example:

oiuevh876

Who can hack that? I know it can be done, but nobody is going to guess it.

Dear isawasnake,

Thanks for your views.

However, if you look at reports on internet about Yahoo e-mail account hacking, the reports indicate the weakness on Yahoo's side. So the password (your particular password) is not really the issue here.

What I was saying that spam gets sent from what appears to be your address to addresses you have in your contacts; your e-mail address then gets blacklisted by the receiving party. The drift of what I was saying was that if you don't have any contacts stored in your Yahoo account, there is no-one to whom spam can be sent and thus you avoid the blacklist issue.

It was commented in a reply to this post that you could/should use a third party client such as Thunderbird where your contacts are stored only on your computer; that makes sense to me.

Just as a further note, there are ways and even software to check access to your account, but that's beyond the scope of this.

[khunken]

I dispute that it is any safer to hold your contacts off-line in the likes of Thunderbird.

I use Outlook Express & that's where my contacts are stored - in my address book. About 3 weeks ago I received a message from Gmail about a hacking attempt (from Romania) on my Gmail account which they said failed. Unfortunately whoever it was got into my Outlook Express Address Book & sent the usual email (containing a link) to all therein.

I still don't know if the hacker came through my Gmail account or actually hacked directly into my computer. No virus or trojan found and I'm careful with passwords & unknown links or attachments.

[frankold]

Nowadays there's no such thing as a good password, crackers can decrypt "salted" passwords within hours regardless of how many symbols and numbers you use.

Absolute non-sense, that is nothing to do with passwords themselves but merely the passwords encrypted storage in a database.

[frankold]

Email accout hacking can probably be put into 3 categories.

1. Password databases from 3rd party websites being stolen, decrypted then run through a script to find hits where users are using the same password for their registered email addy.

2. Pishing.

3. Trojans.