Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Has a Hacker Really Hacked My Email Account?

//
Today, I received this lovely email. While I think it is complete BS and I certainly have no intention on taking any action on it, it *does* look like it was sent from my account, i.e., it appears that someone can send emails impersonating me. Do you have any advice what I should do about this?

Nothing.

The questionable email message that this person was reporting describes how this person’s account had been hacked, how changing the password wouldn’t help, and that it was being held for ransom to be paid in Bitcoin. And, indeed, it appeared to be “From:” this person’s email address.

Variations of this scam even include a password — a password that you’ve actually used.

Even so, “complete BS” is very accurate.

Though, if there is a password, then there is one thing you should do.

Become a Patron of Ask Leo! and go ad-free!

Summary

  • These messages are nothing more than spam. Mark them as such and move on.
  • The messages lie: they do not mean your account has been hacked.
  • Email can easily be made to look like it came from your email address without needing to hack your account.
  • Even if it includes a password you recognize, it’s probably not related to this account.
  • That password was exposed in some prior breach, and you should stop using it.

Examples

Here’s an example of what was reported (I replaced the email address with my own – it was indeed the email address of the person asking):

From: leo@askleo.com
Date: October 28, 2018 at 4:38:31 AM PDT
To: leo@askleo.com
Subject: leo@askleo.com is hacked

Hello!

My nickname in darknet is des53.
I hacked this mailbox more than six months ago. Through it I infected your operating
system with a virus (trojan) created by me and have been monitoring you for a long time.

Even if you changed the password after that - it does not matter, my virus
intercepted all the caching data on your computer and automatically saved access for me.

...

And another, this time from my own spam folder, including a password:

From: <leo@askleo.com>
To: "arealpassword" <leo@askleo.com>
Subject: account was hacked
Date: 1 Oct 2018 05:11:52 -0800

Hello!
I'm a member of an international hacker group.

As you could probably have guessed, your account leo@askleo.com was hacked,
because I sent message you from it.

Now I have access to you accounts!
For example, your password for leo@askleo.com is arealpassword

Within a period from July 7, 2018 to September 23, 2018, you were infected by
the virus we've created, through an adult website you've visited. So far,
we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.

In this example, “arealpassword” represents an actual password I have indeed used in the past — just not for that email account.

There are additional variations, often playing up the adult website angle, or even claiming to have recorded a video that they threaten to release if you don’t pay.

It’s spam, pure and simple

Has a Hacker Really Hacked My Email Account?These messages really are nothing more than spam. Mark them as such and move on.

More correctly, they’re a scam: they’re trying to fool you into paying when there’s absolutely no reason to.

Messages like this are sent to thousands upon thousands of email addresses every day. Just like spam. If you have multiple email addresses, you’ll probably see them across many accounts.

I have dozens of email addresses and I get dozens and dozens of these messages. If Gmail hasn’t already identified them as spam, I mark them as such and move on.

The messages lie

These messages garner attention because they try to scare you by lying about what they know.

  • They did not hack your email.
  • They did not send the message using your account.
  • They did not plant a virus on your machine to monitor password changes.
  • They did not record video of you watching online video1.
  • They do not actually have the password to your email account.

If you take away all these lies, there’s nothing left except spam.

But, they sent “From:” my email address!

The messages only look like they came from your email address.

In reality, using a technique called “From: spoofing“, the hackers simply crafted an email with your email address in the “From:” line and sent it using their own servers, hacked servers, or botnet. Your actual email account was not involved in any way.

“From: spoofing” is nothing new. Spammers have been doing it for years. If you look closely at your spam, you’ll probably see messages “From:” people you know that they didn’t send. That’s because they didn’t. The spammers did, and simply made it look like your friend sent it.

This particular ruse is no different. It’s spam.

But they included a password I actually used!

This is what made the original wave of this spam so unique: it included actual passwords associated with the email address they were sending the scam to. Note that the passwords were not necessarily the actual email account password; they were passwords associated with the account.

Blame breaches. Specifically, if you’ve ever had an account at an online service that suffered a data breach, the password you used at that service might have been exposed at that time.

Here’s the sequence of events:

  • You have an email account with a password. Say “leo@askleo.com” with a password “kbrPMkey4AYnfu7fCX5E”.2
  • You have an account at somerandomservice.com using an email address — “leo@askleo.com” – and a password — “arealpassword”.
  • Somerandomservice.com suffers a data breach and their account database is stolen.
  • Somerandomservice.com used poor security, making it possible for the hackers to see both the email address (“leo@askleo.com”) and the password (“arealpassword”).

That’s it. That password is “associated with” your email address because you used it somewhere. It is not the actual email account password.

But it does get your attention. (I know it got mine the first time I saw it.)

One thing to do: change passwords exposed in breaches

Whenever a password you use is somehow exposed in a data breach, it’s important to stop using that password. Anywhere. That’s why the breached service will immediately instruct or force you to change your password.

If you’re using the same password anywhere else, you should change it there as well, to a password unique to that specific account.

Hackers know we’re lazy and often use the same password across multiple different accounts. That’s why when a password is discovered “in the wild,” it’s still a serious thing. Hackers often try that password (along with your email address) at a variety of online services, just in case you reused it there.

This scam has actually done you a small favor: it’s identified a password that you should no longer use anywhere. It’s shown you that this password has been discovered “in the wild”.

Podcast audio

Play

Video Narration

Footnotes & references

1: A specific type of online video that I’m reluctant to label because it seems to affect email deliverability and search result placement when I do. Let’s just say it’s a type of video many people would find embarrassing.

2: Before you ask, of course that’s not my password. (Smile)

43 comments on “Has a Hacker Really Hacked My Email Account?”

  1. I loved this article as I have been getting these emails. Another one says it is from Canada Post
    but really is not and asks you to download an invoice in a format that cannot be opened by any program.

    Really enjoy your newsletters
    Thank you

    Reply
  2. “But it does get your attention. (I know it got mine the first time I saw it.)” – Yup. You certainly have a “What the hell?” moment. It’s one of the clever scams and, I suspect, dupes a fair number of people.

    Reply
    • Personally I find it interesting that they’re willing to make the assumption that people can figure out how to make a payment in bitcoin. I guess they only need a couple…

      Reply
      • Amen to that — I wouldn’t even begin to know how to acquire any Bitcoin — nor even to know where I should look to gain that information. (Nor am I interested.)

        Reply
  3. I get these critical security alerts from Google and cannot figure out how to shut down the “gtempaccount” since I didn’t really set it up and Google does not let me log in to delete it (they don’t recognize me as the owner, even though I use passwords I have used to log in to my ACTUAL Google Apps For Your Domain account (legacy, non-paid) The scary part is that they “used your password”:
    Sign-in attempt was blocked
    myname%mydomain.com@gtempaccount.com
    Someone just used your password to try to sign in to your account from a non-Google app.

    Reply
  4. Thanks for the article. I got one of these emails and expected it was a scam, but seeing an old password that you have used can make you stop and think. I would not have seen it, except I was looking through my spam folder for another email that I thought I missed. I suspect it was a yahoo or facebook breach that released my old password to cyberspace.

    Reply
  5. I get these also and it’s interesting how they ask for some odd ball amount of money.
    There isn’t much you can do to prevent spoofing, but there are a couple of methods that may help minimize these or send them directly to the spam folder. These methods would depend on your email provider and they may not be available with free web mail accounts, although gmail seems to have a default SPF (see below).

    (1) Look up “Sender Policy Framework” or SPF. This is a protocol build into email servers that’s designed to reject emails whose real sender IP address doesn’t match the “From” address’s domain. This would be the case for a spoofed From address. There are many good explanations for SPF online, such as https://support.google.com/a/answer/33786 or https://postmarkapp.com/blog/explaining-spf.

    You can find out the real sender’s ISP IP address in the full email header. For example, I know that my spoofed emails come from an ISP in Brazil. In gmail, to see the SPF setting, open an email, click on the 3-dot menu at the top right, and select “Show Original” in the context menu. On the page that opens, to see the full email header, click the “Download Original” link.

    (2) If your email provider allows you to set up a blacklist of email domains, you can use the information in the email header to blacklist the sender IP address or domain. This will send these types of email to the spam folder.

    (3) If you find the sender’s ISP you can send an email to its “abuse” email address, attaching one of the spoofed emails (with full header). This last item will just make you feel good, but won’t really do much to stop the spoofed emails.

    Reply
  6. I also received on Oct.20,2018 such an e-mail with the request of paying (in bitcoin) $ 878 (?). It seemed to come from an old friend of mine and quoted, for my recognized real e-mail address a password which I don’t recognize at all (possibly one I used once only and is now just forgotten). I phoned my old friend and explained him what had occurred. Afterwards I treated the e-mail as SPAM. Thanks a lot, Leo, for your wonderful lessons.

    Reply
  7. I have also received a couple of these. One quoted a password (which I immediately recognized as an old old password and was spelled wrongly anyway).
    They both indicated they had recorded me on my webcam – good luck with that, I don’t actually own one.
    I treated them with the contempt they deserved and ignored them.

    I suspect the ‘random’ ransom has something to do with the fluctuating value of bitcoins, but i could be wrong.

    Reply
    • One of the reasons I don’t have a monitor with a webcam and/or microphone.

      And yes, I’ve had a couple of “emails” over the last 10 years or so threatening to release video of me “abusing myself” and I better pay up or they’ll release it to the authorities yada yada yada… ha ha, yeah right. If only “I could” abuse myself. Medical issues most certainly preclude me from obliging them on that. LOL

      Reply
  8. God article. I recently ran into another version using my phone. Calls reporting that they were from one of my email providers kept leaving messages stating that my account had been hacked and to all to reset my account info. Failure to do so claimed that my access would be terminated. This followed a few emails with similar claims that had arrived. The emails may or may not have been from the same source.I had deleted them once I considered them phishing. The frequency of the calls increased over about 6 weeks, apparently terminating on the last day where about 6-7 calls came in. his last date masked the calls as from my own phone number. I did contact the provider via an access provided by them not the caller. They verified that they do not make such calls or email notices.

    Reply
    • Yep, these are coming in many different forms via email and phone. It’s annoying, but best ignored or marked as spam if that’s an option. Thanks!

      Reply
  9. i received this kind of scam. but it’s actually contains my current password. i used the email for daily life and it actually had my adress. i don’t know what i should do. should i stop using those account?

    Reply
    • No need to stop using the account. Just change the password and recovery information on all websites which use that password. Actually, you shouldn’t use the same password on more than one site. Breaches like that put all websites with that password at risk.

      Reply
  10. I got the same spam. I reported it to Spam Cop and naturally it didn’t come from my ISP but one in Brazil. It’s called ‘spoofing” Frankly I don’t have a clue how to PAY FOR ANYTHING with Bitcoins.

    Reply
    • Honestly that’s one of the things that surprises me about this spam: the average user has no idea what Bitcoin is, or how to pay using it. I guess the hope is that someone will get so freaked out by the threat that they’ll figure something out and do it poorly, in a hurry, or whatever, without realize that once paid there’s ZERO recourse.

      Reply
  11. I just wonder how many people fell into this cheap trap, just because they are threatened by “having visited an adult site” … If many indeed, then this would be very sad for our world …
    In my opinion, all this bitcoin issue should have never been allowed to come into living, because it only facilitates illegal activities of all kinds.
    Any kind of technology should be kept under severe control.

    Reply
  12. A few months ago I received such a spoofed email, without a password but with details they claimed to have collected for some months “while they had access” to my account. One claim was that they had recorded porn that I had watched with added footage of how I reacted to the porn. They wanted me to pay them a few hunderd euro in bitcoin. It was not difficult to decide what I should do: since I never watch porn and have my webcam permanently covered with black adhesive tape when I don’t actually use it, the claim was evidently spurious and I simply deleted the blackmail message.
    Bitcoin! I’ve never even tried to do anything with bitcoin. No idea how that works… They demand bitcoin for their own safety, but don’t realise that not many people know how to use it. Especially the people who fall for their scam.

    Reply
  13. I surely appreciate your article on this, Leo! I got one of these messages two months ago with a password I had used on the email account previously not currently. I foolishly had used that same password though on multiple other sites. The scammer demanded I not message him (or her) back because it was not negotiable and there was nothing I could do about it because they already knew everything including Facebook friends, all my passwords to bank accounts, etc. due to having installed a keylogger so they knew when I had read their demand message. They gave me 48 hours to pay the ransom of $1,400.00 in Bitcoin. Also said he had a video as you mentioned but I knew that wasn’t possible since I have never removed the black tape I covered the camera with when I bought the computer. That led me to wonder how much they really knew about me, if anything. So I knew better than to pay and I immediately started changing all the passwords and recovery info for each site I could remember using the one they knew about. Even decided that if they really had installed a keylogger, I had to change all my passwords besides the one they listed. I’ve been busy since that’s a LOT of passwords! Your article has eased my mind substantially, Leo. Thanks again!!

    Reply
  14. I received these messages. I can not for the life of me access my gmail account. I can not even access my registration and other domain hosting companies. I never changed this information. I am very willing to provide my domain name and have anyone look it up.

    I did have g suite. When I canceled g suite, the mess began! I am at my wits end. I have hired hackers but never heard from them again. I was scammed! Live and learn. I do want to know how to get my domain and email account back.

    Is there any advice?

    Thanks!

    Reply
  15. Thanks for a very useful article, Leo. I just received two of these emails in my Junk folder. The password they know of mine is one I use for sites where security is not very important, like newspaper comments or online forums. I’ve used it for literally dozens of sites going back fifteen years, and it would be a lot of work to change them all. Do you think I really need to?

    Reply
  16. I received 10 of these emails and blocked them but they keep sending it from a different email accounts because they found out that i blocked them. They have one of my passwords. I closed my email account. They are sending sometimes three emails per day.

    Reply
  17. One thing to be aware of is if a hacker did have access to your email with the password they probably did login and change the Proxy settings so they can read anything you send from their server. Why would they do this, to monitor any financial or monetary things they may be able to use against you.

    Reply
  18. Marking these mails as spams on my official email address for a long time now. But recently I have noticed that emails from my address have started turning up in spam folders. Gmail says that often mails from (my email address) have been reported as spam. I do not use my mail for marketing or anything. Could it be that me reporting the spoofing as spam has resulted in Gmail to consider it as spam?

    Reply
    • If the spam comes “from” your email address — whether you sent it or not (i.e. it was spoofed) — then I would assume marking it as spam might well act as a strike against your email address. Google has to know that this kind of spoofing is going on, so it can’t be a huge negative hit, though.

      Reply
  19. Hi,
    I received a email saying that my Operating System had been hacked and that the hacker has access to my webcam and microphone. He said that he would send false information to all my contacts unless I paid him.
    I have no intention of paying him but how should I proceed with this?

    Reply
  20. Leo!

    The person asked “…Do you have any advice what I should do about this?”

    You replied with “Nothing.”

    Most people know what you meant by “Nothing”. Some people seeing “Nothing” might interpret it to mean you have no advice and they stop reading because they’re in a hurry to get to their next e-mail.

    Reply
  21. “A specific type of online video that I’m reluctant to label because it seems to affect email deliverability and search result placement when I do.”

    Really ? Just using the word I think you refrained from using affects your blog’s performance in search engines, and email deliverability for your own messages ? Wow !

    Reply
    • SEO and spam filtering are a bitch. But that brings up a question: If certain key words can negatively affect your SEO, wouldn’t comments on the page have the same effect?

      Reply
  22. Hi there,

    I have a yahoo personal email account that I haven’t accessed for 3 years. I don’t remember the password at all. I have tried everything but still cannot get the right password. The secondary email attached to the email account is wrong (one letter added by mistake), and there is no phone number attached to the email account.

    Is there a way to access my email?

    Reply
  23. A few minutes ago I received an email from “Hacker Team” is a non-reply account. I was really scared, because they ask for 800 USD bitcoins, and if I do they won’t publish a video of me watching porn or something… It also says that I only have a maximum of two days to deposit the bitcoins, should I change my passwords?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.