How to survive an email hijacking
As some of you may know, my personal yahoo email account was hijacked about two weeks ago. Someone had broken into my account and was sending out spam FROM my actual account. This wasn't someone who was simply putting my name in the from line (spoofing). They actually hacked their way right into my account.
Now I'm fairly internet savvy, and I have no excuse as it was my own laziness and stupidity that caused this. I knew better. But this raised a few questions.
1. How the heck did they hack my password? I had two things going against me here. I had not changed my password in a long time. Probably for years. Also, out of laziness, I probably signed up for some other site using my yahoo email address and password. That site might have been hacked.
2. How can I prevent this from happening again? Clearly changing passwords regularly and not signing up for other sites with the same email/password combo would help. But, my first reaction was to try to ask Yahoo! what the heck was going on. Unfortunately, I didn't have much luck with Yahoo's online chat:
Yahoo: If you don't like getting spam messages you can report the spammers.
Me: I'm not getting spammed, someone hijacked my account and sent out spam messages FROM my account. I need to know what I can do to make sure this won't happen again.
Yahoo: You can block unwanted messages from spammers by reporting them through our form...
You get the idea. Finally I got through to someone at Yahoo! by telephone and they told me what information to change in order to prevent anyone from accessing my account including my password and some of my contact information. He also recommended that I change this info regularly.
3. How come Yahoo! let the spammers send out more than the 100 emails per hour limit? Now Yahoo!'s online chat couldn't answer this for me either as our conversation on the chat went like this:
Yahoo!: That is our policy to prevent spamming. We limit your account to about 100 emails per hour.
Me: I get that BUT you let the spammer who hacked into my account send out 100 PER MINUTE. So, why can't I send out as many to rectify the situation?
Yahoo!: Our limit is 100 per hour and you will just have to wait. If you want to report spammers, please go to ...
This ridiculous online chat was why I switched my email to gmail. While I'm sure I could prevent the Yahoo! account from being hacked into again, Yahoo's response and the fact that their limitations on numbers of emails sent only affected me and not the hijackers was enough to go through the pain of switching email providers.
4. What to do after your email gets hijacked. Now I was in a panic when this was happening as I was stuck in my car getting calls and emails and texts from friends saying "you sent me a really strange email, I think your account has been hijacked." Fortunately, I have a great relationship with my tech support guy.
- I called my IT guy and had him talk me down from hyperventilating while driving on a highway. He was able to access my account to change the password and that would stop anymore outgoing spam. Fortunately, they had not bothered to change my password (If they had, I would've gotten a notice telling me that it had been changed, but would've made it more difficult to access my account).
- When I got back to the office, I activated a new gmail account which then let me send an email to all my contacts who received the first one apologizing for the bizarre email (fortunately for me it was about buying computer products in Japan and not something worse), but also giving them my new gmail address.
- As a precaution I changed all my passwords at all the online sites I belong to. I have always taken extra precautions with financial sites so I wasn't worried about those. However, it's a lot of work and I'm still doing updates. I then marked my calendar to change these passwords three months from now.
- I'm also using firefox as a browser instead of internet explorer. My tech guys tell me it's safer.
5. The bright side ...
I couldn't decide whether it was best to pretend the incident didn't happen or to draw further attention to it by sending around a second email. Once I decided that I had had enough of Yahoo! then this was an easy decision. I needed to let people know my new gmail address. So, I took the opportunity to apologize for the first email and let everyone know how they can reach me.
Well, it was a little embarrassing as my personal address book had a lot of old unused addresses in it including a few ex-boyfriends. Note to self: clean out your contact databases. However, a handful of them, as well as other friends I'd lost touch with, took the opportunity to reconnect. Some of these reconnections even resulted in new business!
Despite my fears that my friends would think I'd really lost my mind, or was abusing my access to their email addresses, most of my contacts realized that between the typos, poor grammar and content, this was not something I had sent. A few even shared their on horror stories of even worse hijackings.
On the whole, it was a very time-consuming mistake and I'm still working at retiring that email address, but it wasn't as bad as I thought when I got those first few phone calls alerting me to the crises. Special thanks to those of you who reached out immediately to alert me that something was wrong! Time was of the essence and had I been in the office at the time, I would've been able to stop it immediately.
For more about how an email account can be hijacked and what you can do to prevent it see:
http://nazley.wordpress.com/2008/12/17/yahoo-account-compromised/
http://lifehacker.com/5110737/lessons-learned-from-a-hacked-gmail-account
Comments