It seems like not a day goes by where I don’t get a question from someone that boils down to their email account having been hacked.
Someone, somewhere, has gained access to their account, and is using it to send spam, access other online accounts, hassle contacts, and more. Sometimes passwords are changed, sometimes not. Sometimes traces are left, sometimes not. Sometimes everything in the account is erased — including contacts and saved email — and sometimes not.
Your email account has been hacked.
Here’s what you need to do next.
Become a Patron of Ask Leo! and go ad-free!
1. Recover your account
Log in to your email account via your provider’s website.
If you can log in successfully, consider yourself extremely lucky, and proceed to Step 2 right away.
If you can’t log in, even though you’re sure you’re using the right password, then the hacker has probably changed your password. The password you know is no longer the correct password.
You must then use the “I forgot my password” or other account recovery options offered by the service.
This usually means the service will send password-reset instructions to an alternate email address that you have access to, or send a text message to a mobile phone number you set up previously.
If the recovery methods don’t work — because the hacker changed everything, or because you no longer have access to the old alternate email or phone — you may be out of luck.
If recovery options don’t work for whatever reason, your only recourse is to use the customer service phone numbers or email addresses provided by that email service. For free email accounts, there usually is no customer service. Your options are generally limited to self-service recovery forms, knowledge base articles, and official discussion forums where service representatives may (or may not) participate. For paid accounts, there are typically additional customer service options that are more likely to be able to help.
Important: If you cannot recover access to your account, it is now someone else’s account. I can’t stress this enough. It is now the hacker’s account. Unless you’ve backed it up, everything in it is gone forever, and you can skip the next two items. You’ll need to set up a new account from scratch and start over.
2. Change your password
Once you regain access to your account (or if you never lost it), immediately change your password.
As always, make sure it’s a good password: easy to remember, difficult to guess, and long. In fact, the longer the better, but make sure your new password is at least 10 characters, and ideally 12 or more if the service supports it.
But don’t stop here.
Changing your password is not enough.
3. Change or confirm your recovery information
While a hacker has access to your account, they might leave your password alone so you won’t notice the hack for a while longer.
But whether they change your password or not, they may change all of the recovery information.
The reason is simple: if you do change your password, the hacker can follow the “I forgot my password” steps and they can reset the password out from underneath you, using the recovery information they set.
Thus, you need to check all of it and change much of it … right away.
- Change the answers to your secret questions. They don’t have to match the questions (you might say your mother’s maiden name is “Microsoft”); all that matters is that the answers you give during a future account recovery match the answers you set today.
- Check the alternate email address(es) associated with your account, and remove any you don’t recognize. The hacker could have added his or her own. Make sure you have alternate email addresses configured, and that they are accounts that belong to you that you can access.
- Check any phone numbers associated with the account. The hacker could have set their own. Remove any you don’t recognize. Make sure that if you do provide a phone number, it’s yours and no one else’s, and you have access to it.
These are the major items, but many services use additional information account recovery. Take the time now to research what that information might be. If it’s something a hacker could have altered, change it to something appropriate for you.
Overlooking information used for account recovery allows the hacker to easily hack back in. Make sure you take the time to carefully check and reset all as appropriate.
4. Check “out of office” messages, reply-to, forwards, and signatures
If your email service provides an out-of-office or vacation-autoresponder feature, or some kind of automatic signature that appears at the bottom of every email you send, it’s possible people already know you’re hacked.
Hackers often set an auto-responder in a hacked account to automatically reply with their spam. Each time someone emails you, they get this fake message in return, often written so it sounds like you sent it.
If your account includes the ability to set a different “Reply-To:” email address, make sure that hasn’t been set. Hackers can set this so individuals who think they’re replying to you end up replying to the hacker instead.
Make sure your email is not being automatically forwarded to another email address. Hackers often set this option when it’s available, and receive copies of every email you get. They can use this to break into your account again, even after you recover it.
Check any signature or automated response features. Hackers often set up a signature so that every email you send includes whatever it is they’re promoting — often a link to a malicious web site.
5. Check related accounts
This is perhaps the scariest and most time-consuming aspect of account recovery. The risks are high, so understanding this is important.
While the hacker has access to your account, they have access to your email, including past and current emails as well as what arrives in the future.
Let’s say the hacker sees you have a notification email from your Facebook account. The hacker now knows you have a Facebook account, and what email address you use for it. The hacker can go to Facebook, enter your email address, and request a password reset.
A password reset sent to your email account … which the hacker has access to.
As a result, the hacker can now hack your Facebook account by virtue of having hacked your email account.
In fact, the hacker can now gain access to any account associated with the hacked email account.
Like your bank. Or PayPal.
Let me say that again: because the hacker has access to your email account, he can request a password reset be sent to it from any other account for which you use this email address. In doing so, the hacker can hack and gain access to those accounts.
What you need to do: check your other accounts for password resets you did not initiate and any other suspicious activity.
If there’s any doubt, consider changing the passwords on all those accounts as well. (There’s a strong argument for checking or changing the recovery information for these accounts, just as you checked on your email account, for all the same reasons.)
6. Let your contacts know
Some disagree with me, but I recommend letting your contacts know that your account was hacked, either from the account, once you’ve recovered it, or from your new email account.
Inform all the contacts in the online account’s address book — that’s the address book the hacker had access to.
I believe it’s important to notify your contacts so they know not to pay attention to email sent while the account was hacked. Occasionally, hackers try to impersonate you to extort money from your contacts. The sooner you let them know the account was hacked, the sooner they’ll know that any such request — or even the more traditional spam that might have come from your account — is bogus.
7. Start backing up
A common reaction to my recommendation that you let your contacts know is: “But my contacts are gone! The hacker erased them all, and all of my email as well!”
Yep. That happens.
It’s often part of a hacker not wanting to leave a trail; they delete everything they’ve done, along with everything you have. Or had.
If you’re like most people, you’ve not been backing up your online email. All I can suggest at this point is to see if your email service will restore it for you. In general, they will not. Because the deletion was not their doing, but rather the doing of someone logged into the account, they may claim it’s your responsibility.
Hard as it is to hear, they’re absolutely right.
Start backing up your email now. Start backing up your contacts now.
For email, that can be anything from setting up a PC to periodically download the email, to setting up an automatic forward of all incoming email to a different account, if your provider supports that. For contacts, it could be setting up a remote contact utility (relatively rare, I’m afraid) to mirror your contacts on your PC, or periodically exporting your contacts and downloading them, which is what I do.
8. Learn from the experience
Aside from “you should have been backing up,” one of the most important lessons to learn from this experience is to consider all the ways your account could have been hacked, and take appropriate steps to protect yourself from a repeat occurrence.
- Use strong passwords that can’t be guessed, and don’t share them with anyone.
- Don’t fall for email phishing attempts. If they ask for your password, they are bogus. Don’t share your password with anyone.
- Don’t click on links in email you are not 100% certain of. Many phishing attempts lead you to bogus sites that ask you to log in and then steal your password when you try.
- If you’re using WiFi hotspots, learn to use them safely.
- Keep the operating system and other software on your machine up to date, and run up-to-date anti-malware tools.
- Learn to use the internet safely.
- Consider multi-factor authentication (in which simply knowing the password is not enough to gain access). More and more services are starting to support this, and for those that do (Gmail, for example), it’s worth using.
If you are fortunate enough to be able to identify exactly how your password was compromised (it’s not common), then absolutely take measures so it never happens again.
9. If you’re not sure, get help
If the steps above seem too daunting or confusing, then definitely get help. Find someone who can help you get out of the situation by working through the steps above.
While you’re at it, find someone who can help you set up a more secure system for your email and advise you on the steps you need to take to prevent this from happening again.
And then follow those steps.
The reality is that you and I are ultimately responsible for our own security. That means taking the time to learn how to set things up securely.
Yes, additional security can be seen as an inconvenience. In my opinion, dealing with a hacked email account is significantly more inconvenient, and occasionally downright dangerous. It’s worth the trouble to do things right.
If that’s still too much … well … expect your account to get hacked again.
10. Share this article
As I said, email account theft is rampant.
Share this article with friends and family. Statistically, one of you will soon encounter someone whose account has been hacked and will need this information.