I get emails from people who have had their online email accounts hacked, and spam email is issued. Normally, I just send them an email and hear nothing of it. But today I got a message (via another mechanism) that they were going to trash their email account.
The rest of this post is my message back to them. On reflection, I should have considered that their password was leaked internally from their email provider (one of the “big few” – i.e. google, hotmail or yahoo). And that this could happen from a rogue employee ($0.10 per email, here’s a text file) or from hackers getting illegitimate access.
But here goes:
I don’t think you need to discard the email account, but there are a couple of things to consider
How did you get hacked? Was it malware on your PC (you can pick up malware infections just from things like Adobe Flash-based adverts if there’s a security problem in the flash plugin, for example) or was it someone picking up a session cookie if you were using unencrypted WiFi (coffee shop/hotel) (read this post on cookie hijacking to see how it works). Or did you use someone else’s computer (colleague, internet cafe?) These are the three main categories (I’m discounting you turning into a spammer.)
No matter how it happened, visit https://browsercheck.qualys.com/ on a weekly basis – or more frequently – to check your browser(s) and plugins are up to date – you need to do this for each browser that you use, on each computer that you use.
So, how do you tell which one happened to you? I’d get some anti-virus and scan your PCs and see if they detect anything. If you’re technical enough, then the SysInternals “autoruns” tool tells you *everything* that starts when you start your PC and log in. You can google the various process names shown in Task Manager and ensure they are benign too.
So, if you have malware, the only totally secure thing to do is to wipe and reinstall your OS and applications – although you might want to trust antivirus to detect and repair, it’s not guaranteed. And if you can, try more than one anti-virus product (free versions available for several) but you might have to install one, scan your PC, uninstall it and then install another – they might not co-exist nicely.
If you’re PC is clean, but you use public Wifi, chances are that you have been victim of a cookie hijack. The solution is to either always use HTTPS (which is encrypted so no-one can “sniff” your cookie.) (Most sites now offer it, and I expect your email provider is one of them; google is now offering HTTPS for searches, let alone email/calendar/etc.), OR, if you have one available, *always* use a VPN (Virtual private network), which encrypts everything (including normal unencrypted http traffic, although your VPN provider can “sniff” stuff). Maybe your employer has a VPN, otherwise you can buy the service, I believe. And, best of all, if it was a cookie hijack, you can just log on and change your password, the hijacked cookie will be invalid afterwards. Maybe ask where you were accessing the net in the days immediately before the spam started – can you correlate a location with the date/time.
And if you think you’re the victim of a keylogger, it should appear as malware. Let me tell you that one thing I do when I’m using someone else’s computer is to *not* enter my password in one go. I use the *mouse* to move the cursor between keypresses, and build up my password. So if my password was 12345678, I might start by entering “56” then click (don’t use the keyboard, keystrokes might be logged, including the cursor keys) at the beginning and add “23”, then at click the end and add 8, then between the 3rd and 4th character and add the 4. It takes a bit of mental juggling, and I rarely use a PC I don’t trust.
So, depending on how you were hacked, is anything else at stake? If it’s malware, chances are that a keylogger has been installed, and so every keypress might have been recorded and then might have been transmitted. If you use the same password for many things, e.g. online email, work email, online banking, then you are at greater risk than if you use a different one for each service – even if the usernames are different, your identity might be linked to an account via publically available search info.I use a three-tier system – one password for sites I really don’t care if someone impersonates me on, a second for a few other things (access to my server, and email, and so on), and a third tier, where I use a different password for each system – things like online banking, the UK Government Gateway, etc.
So, the bottom line is that
1: Stopping using the account might not be enough
2: Stopping using the account might not be neccesary
And that’s what I sent. Did I miss anything apart from the password-leak-from-provider?
Update: I added
3: change all your important passwords anyway. Consider a 2/3-tier system.