Hacked Email: The 6 Things You Need to do NOW
Someone somewhere has gained access to your account and is using it to send spam. Now all your friends, colleagues, peers, and even that crazy buddy from high school that is part of your Contact List is all over you about the countless Spam “YOU” are sending them.Of course you didn’t send the Spam. Rather, your email account has been hacked!
Where do I turn, what do I do, what are my next steps to gain back control over my own email? Calm down, there are some simple steps to take. In fact, there are Six Things you can do right now.
- Recover Your Account: Log in to your email account via your provider’s website. If you can log in successfully, consider yourself extremely lucky, and proceed to step 2 right away. If you can’t log in, even though you know you’re using the right password, then the hacker has probably changed your password. The password, you know, is no longer the correct password. You must then use the “I forgot my password” or other account recovery options offered by the service. If the recovery methods don’t work – because the hacker changed everything, or because you no longer have access to the old alternate email or phone – then you may be out of luck.
- Change Your Password: Once you regain access to your account (or if you never lost it), immediately change your password. As always, make sure that it’s a good password: easy to remember, difficult to guess, and long. In fact, the longer the better, but make sure your new password is at least 10 characters or more – ideally 12 or more, if the service supports it.
But don’t stop here. Changing your password is not enough.
- Change Your Recovery Information: While a hacker has access to your account, they might leave your password alone so that you won’t notice the hack for a while longer. But whether they change your password or not, they may change all of the recovery information. The reason is simple: when you finally do change your password, the hacker can follow the “I forgot my password” steps and reset the password out from underneath you, using the recovery information they set.Thus, you need to check all of it and change much of it … right away.
- Change the answers to your secret questions. They don’t have to match the questions (you might say your mother’s maiden name is “Microsoft”); all that matters is that the answers you give during a future account recovery match the answers you set here today.
- Check the alternate email address(es) associated with your account and remove any you don’t recognize or are no longer accessible to you. The hacker could have added his own. Make sure all alternate email addresses are accounts that belong to you, and you can access them.
- Check any phone numbers associated with the account. The hacker could have set their own. Remove any you don’t recognize, and make sure that if a phone number is provided, it’s yours and no one else’s, and that you have access to it.
These are the major items, but some email services have additional information they use for account recovery. Take the time now to research what that information might be. If it’s something a hacker could have altered, change it to something else appropriate for you.
Overlooking information used for account recovery allows the hacker to easily hack back in; make sure you take the time to carefully check and reset all as appropriate.
- Check Related Accounts: This is perhaps the scariest and most time consuming aspect of account recovery. Fortunately, it’s not common, but the risks are high, so understanding this is important. While the hacker has access to your account, they have access to your email, including what is in your account now as well as what arrives in the future.Let’s say the hacker sees you have a notification email from your Facebook account. The hacker now knows you have a Facebook account, and what email address you use for it. The hacker can go to Facebook, enter your email address, and request a password reset.
A password reset sent to your email account … which the hacker has access to.
As a result, the hacker can now hack your Facebook account by virtue of having hacked your email account.
In fact, the hacker can now gain access to any account associated with the hacked email account.
Like your bank. Or Paypal.
NOT TO BE UNDERSTATED: Because the hacker has access to your email account, he can request a password reset be sent to it from any other account for which you use this email address. In doing so, the hacker can hack and gain access to those accounts.
What you need to do: check your other accounts for password resets you did not initiate, and any other suspicious activity.
If there’s any doubt, consider proactively changing the passwords on those accounts as well. (There’s a strong argument for checking or changing the recovery information for these accounts, just as you checked for your email account, for all the same reasons.)
- Start Backing Up: Start backing up your email now.
Start backing up your contacts now.
For email, that can be anything from setting up a PC to periodically download the email, to setting up an automatic forward of all incoming email to a different account, if your provider supports that. For contacts, periodically exporting your contacts and download them.
- Learn From The Experience: Tough one to take, I know. But the School of Hardknocks has the highest tuition rate! Follow these basics always:Use strong passwords that can’t be guessed, and don’t share them with anyone.
- Use strong passwords that can’t be guessed, and don’t share them with anyone.
- Don’t fall for email phishing attempts. If they ask for your password, they are bogus. Don’t share your password with anyone.
- Don’t click on links in email that you are not 100% certain of. Many phishing attempts lead you to bogus sites that ask you to log in and then steal your password when you try.
- If you’re using WiFi hotspots, learn to use them safely.
- Keep the operating system and other software on your machine up-to-date, and run up-to-date anti-malware tools.
- Learn to use the internet safely.
- Consider multi-factor authentication (in which simply knowing the password is not enough to gain access). More and more services are starting to support this, and for those that do (Gmail, for example), it’s worth considering.