Either because it’s not really closed, or it doesn’t matter that it’s closed.
People frequently write to me asking how to close an email account that has been hacked into. Quite often they’re particularly desperate and insistent that the account must be closed, and immediately.
This question illustrates why my recommendation is: don’t waste your time.
Closing the account, in all likelihood, won’t help: the damage has already been done.
You have a working and probably important email account on a popular email service.
One day you get a number of reports from people with whom you regularly exchange email complaining that they’ve received what looks like spam from you. In fact, some of that spam may even have included malware, and some of your contacts might be upset that their machine has become infected because of email that you sent.
Except that you didn’t send it.
And yet the spam continues. Closing didn’t help.
There are several reasons this might happen.
Reason 1: Your account was never hacked
There’s a very good chance that there was never anything wrong with your account and that it had not been hacked into.
In fact, I’ll go so far as to say that this is the most common scenario.
What most people don’t realize is that email is incredibly easy to fake. That means that it’s downright trivial for a spammer to make it look like an email came “From:” your email address without needing any kind of access to your account. It’s called “From: spoofing”, and if you look carefully most spam comes “From:” email addresses that actually have nothing to do with the spam at all. The sender has been completely faked.
So how did they get your contacts?
Three things come to mind:
- Blind luck. With millions and millions of spam emails being sent every day, it’s very possible that your email address could have been faked on spam sent to someone you know, randomly.
- Information leakage. For a while there was a way to determine some friend relationships on Facebook without needing to be logged in, exposing the email addresses of those friends. Any similar kind of data breach or leakage could expose similar relationships – even just communicating in a public forum where email addresses are exposed could do it. And of course, email in transit is also visible to all servers that it happens to land on, so information about who you’re mailing might well be something that could be harvested if the email servers themselves are somehow compromised.
- It could be one of your contacts who was hacked. It could be the contact list from their account that was harvested by the spammers, and thus your email address could have been harvested from it and then used to fake “From:” lines in spam targeted at the other friends and contacts.
There’s really no 100% certain way to tell, but the first thing I would have you do is check the Sent Mail folder of your online account or web interface. If you see the spam in that folder indicating it was sent from your account, then indeed you’ve been hacked and should take all necessary steps to recover. If it’s not there, it’s not proof of anything, but I actually would not panic unless more evidence of an actual hack appears.
Reason 2: Hackers just reopen the account
When most people close their account in a panic, they simply go through the steps to close their account and nothing more.
Not only is it ultimately ineffective, but closing your account is actually not enough.
If you do close your account you’ll often find that there’s an “out” – a way that, for some limited time, you can re-open the account should you later change your mind. And before you shake your head at the thought, I can assure you that you’d be surprised at how often people do change their minds.
The “I didn’t really mean it!” approach typically involves once again proving that you are the owner of the account, using your password and additional identity verification steps.
Sometimes it’s as simple as just logging into the account again after you’ve “closed” it.
Hackers know all this.
They often know that the account can be reopened. They often know, or have changed, the account validation and alternate contact information.
So, within moments of your closing the account, the hacker just re-opens it and resumes sending spam from it.
Reason 3: You reopen the account
As I mentioned above, sometimes just logging into the account is enough to cancel its closure.
Many accounts these days are more than just email. On that same account you may have messaging programs, calendars, online storage, photo sharing services, and much, much more.
If you cancel the email account, and then go log into another service that uses the same account ID and password, you probably re-activated the email account.
IF you intend to cancel the account, you have to forever walk away from everything associated with that account.
Otherwise the account may simply not be canceled.
Reason 4: Hackers don’t need your account any more
A common trick of hackers is to slip in to an account they’ve just hacked and steal the contents of the address book.
In that scenario, the damage has been done.
Even if you recover and completely secure the account, or even if you you really, truly cancel the account and it really, truly is and stays canceled:
- Hackers can still send spam to all your contacts, because they’ve stolen them.
- Hackers can even make spam look like it came from you, even though they are no longer using your account. As I mentioned above, “From:” spoofing is trivially easy.
So you might put a lot of time and mental energy into closing the account, and even if you’re successful … it solves nothing because the hackers left it behind long ago.
Reason 5: It’s now someone else’s account
If you successfully close an account, most services hold on to the account name (usually the email address) for “a while” – anywhere from a few days to a few months.
Then, they make it available for new account creation, since no one is using it.
Someone could (and if your email name is particularly desirable, almost certainly will) open a new account with the email address you left behind. No, they won’t have your data or your contacts, but they will now have your old email address.
They could get hacked. Heck, they could be spammers themselves. After really closing an account you lose all control over the email address, and you have no idea who might get it some day in the future.
Your old “closed” account could come back to haunt you.
What can you do?
Aside from not getting your account hacked in the first place, there’s almost nothing you can do.
Of course, if your account has been hacked, you need to recover it. Start here as quickly as you can: Email Hacked? 7 Things You Need to do NOW. But it may be too late; the hackers may have copied out all the information they need to keep spamming your friends and make it look like you.
What I can say is that closing your account isn’t going to help, and ultimately could make things even worse as you eventually relinquish all control over it.