Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Has a Hacker Really Hacked My Email Account?

Possible, but unlikely.

An email claims your email account has been hacked, possibly even including a password you've used. Don't be fooled; it's a scam.
The scene includes a computer screen displaying an email inbox with several spam email subjects visible, such as "Account Hacked!" and "Urgent: Security Alert." A large, bold, red 'X' is superimposed over these scam emails, symbolizing rejection or marking them as spam. In the foreground, a figure symbolizing a user (not specific in appearance) confidently presses the 'delete' or 'spam' button on the email client, ignoring the scam attempts.
(Image: DALL-E 3)
Question: Today, I received this lovely email. While I think it is complete BS and I certainly have no intention on taking any action on it, it *does* look like it was sent from my account, i.e., it appears that someone can send emails impersonating me. Do you have any advice what I should do about this?

You don’t need to do anything.

The email in question described how this person’s account had been hacked, how changing the password wouldn’t help, and that the account was being held for ransom to be paid in Bitcoin. And it appeared to be “From:” this person’s email address.

Variations of this scam even include a password — a password you’ve actually used. I’ve gotten them myself.

Even so, “complete BS” is very accurate.

Though if there is a password, there is one thing you should do.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Account hacked? Probably not, but...

These messages:

  • … are just spam. Mark them as spam and move on.
  • … lie: they do not mean your account has been hacked.
  • … can easily look like they came from your address. This does not indicate that your account was hacked.
  • … sometimes include a password you recognize, but it’s not related.
  • …may include a password exposed in some prior breach. Stop using it.

Examples

Here’s an example of what was reported (I replaced the email address with my own; it was indeed the email address of the person asking).

From: leo@askleo.com
Date: October 28, 2018 at 4:38:31 AM PDT
To: leo@askleo.com
Subject: leo@askleo.com is hacked

Hello!

My nickname in darknet is des53.
I hacked this mailbox more than six months ago. Through it I infected your operating
system with a virus (trojan) created by me and have been monitoring you for a long time.

Even if you changed the password after that - it does not matter, my virus
intercepted all the caching data on your computer and automatically saved access for me.

...

Here’s another piece of spam, this time from my own spam folder, that includes a password.

From: <leo@askleo.com>
To: "arealpassword" <leo@askleo.com>
Subject: account was hacked
Date: 1 Oct 2018 05:11:52 -0800

Hello!
I'm a member of an international hacker group.

As you could probably have guessed, your account leo@askleo.com was hacked,
because I sent message you from it.

Now I have access to you accounts!
For example, your password for leo@askleo.com is arealpassword

Within a period from July 7, 2018 to September 23, 2018, you were infected by
the virus we've created, through an adult website you've visited. So far,
we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.

In this example, “arealpassword” represents an actual password I really used in the past — just not for that email account.

There are additional variations, often playing up the adult website angle or even claiming to have recorded a video that they threaten to release if you don’t pay.

It’s spam, pure and simple

These messages are nothing more than spam. Mark them as spam and move on.

More correctly, they’re a scam: they’re trying to scare you into paying blackmail when there’s no reason to.

Spam/scam messages like this are sent to thousands of email addresses every day. If you have multiple email addresses, you’ll probably see them across many accounts.

I have dozens of email addresses, and I get dozens of these messages. If Gmail hasn’t already identified them as spam, I mark them as such and move on.

The messages lie

These messages garner attention because they try to scare you by lying about what they know.

  • They did not hack your email.
  • They did not send the message using your account.
  • They did not plant a virus on your machine to monitor password changes.
  • They did not record video of you watching online video1.
  • They do not have the password to your email account.

If you take away all these lies, there’s nothing left except spam.

But they sent “From:” my email address!

The messages only look like they came from your email address.

In reality, using a technique called “From: spoofing“, the hackers crafted an email with your email address in the “From:” line and sent it using their own servers, hacked servers, or botnet. Your email account was never involved.

“From: spoofing” is nothing new. Spammers have been doing it for years. If you look closely at your spam folder, you’ll probably see messages “From:” people you know that you know they didn’t send.  The spammers did; they just made it look like your friend sent it.

This particular ruse is no different. It’s spam.

But they included a password I actually used!

This is what made the original wave of this spam so unique: it included actual passwords associated with the email address they were sending the scam to. Note that the passwords were not necessarily the actual email account password; they were passwords associated with the account.

Blame breaches. If you’ve ever had an account at an online service that suffered a data breach, the password you used there might have been exposed at that time.

Here’s the sequence of events:

  • You have an email account with a password. Say “leo@askleo.com” with a password “kbrPMkey4AYnfu7fCX5E”.
  • You have an account at somerandomservice.com using an email address — “leo@askleo.com” — and a password — say  “arealpassword”.
  • Somerandomservice.com suffers a data breach and their account database is stolen.
  • Somerandomservice.com used poor security, making it possible for the hackers to see both the email address (“leo@askleo.com”) and the password (“arealpassword”).

That’s it. That password is “associated with” your email address because you used it somewhere. It is not the actual email account password.

But it does get your attention. (I know it got mine the first time I saw it.)

One thing to do: change passwords exposed in breaches

Whenever one of your passwords is exposed in a data breach, it’s important to stop using that password. Anywhere. That’s why the breached service will immediately instruct or force you to change your password.

If you’re using the same password anywhere else, you should change it there as well to a password unique to that specific account.

Hackers know we’re lazy and often use the same password across multiple different accounts. That’s why when a password is discovered “in the wild,” it’s still a serious thing. Hackers often try that password (along with your email address) at a variety of online services just in case you reused it there.

This scam has actually done you a small favor: it’s identified a password you should no longer use anywhere. It’s shown you that this password has been discovered “in the wild”.

Do this

If you get spam like this, you can safely ignore it, unless it includes a password you’ve used. If that’s the case, make sure you’re no longer using that password anywhere else.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Footnotes & References

1: A specific type of online video that I’m reluctant to label because it seems to affect email deliverability and search result placement when I do. Let’s just say it’s a type of video many people would find embarrassing.

3 comments on “Has a Hacker Really Hacked My Email Account?”

  1. I got an e-mail yesterday, but not about passwords… the guy says my cameras are compromised, and that I’ve been caught on a adult site.. and has a video of myself masturbating to that video…and he demands U$S 1500 in bitcoin, or else the video will be shared to every single contact I have in Outlook

    the funniest things were…
    1- the dude wrote the whole note with different symbols and punctuation signs to pretend he was in the matrix or something…
    2- I don’t really think people have contacts in outlook anymore (specially with social media)
    1- I don’t even have webcam

    Reply
  2. hi, I received an email from a hacker. I don’t know what to believe. I’m terrified. It says I’ve been recorded and that I have 50 hours to pay since the moment I read the email. What do I do? Although it also says that I’ve been hacked by a trojan virus while I was searching some inapropiate websites. This email was sent to me in august 22 of 2019 and I found it just now. Is this an spam ? I’m worried beacuse the hacker says the he will get a notification when I read the email. Please help me. I may also add that this email was sent to me through a university account( the university uses hotmail). How is that possible? and that’s why I’m scared.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.