Your email account might be the weakest link, opening the gates to everything else.
There are a lot of variables here, so we’ll have to look at a few situations. Depending on how things are set up, yes, if someone can access your Gmail account, they could access much more.
Become a Patron of Ask Leo! and go ad-free!
Hacking one account to hack others
If your email account is hacked, it’s possible for a hacker to use access to that account to gain access to any other accounts referencing it. That would include accounts for which the email address is your login ID and any accounts for which the email address is specified as a recovery or “alternate” email address. Hackers can hack your accounts sequentially to gain access to more than just your email.
The initial compromise
So someone else has the password to your Gmail account. They can sign in even though you didn’t authorize them to.
We might call it a hack, a compromise, or something else, but the bottom line is that they can read your email without you noticing.
That last part is important to think about. For example:
- After reading a message, they could simply mark it as unread. If you weren’t looking at that exact time, you wouldn’t see it happen.
- They could forward a message you’ve received and then delete the forward from your Sent email and from Trash. Again, if you weren’t looking at that exact time, you wouldn’t see it happen.
- Perhaps worst of all, they could receive a message, read it, and delete it, without you ever having seen it. We’ll see why why all of these are bad in a minute.
Of course, if you suspect anything, change your password immediately and consider adding two-factor authentication. With two-factor, even if someone knows your password, they won’t be able to sign in as you.
Someone has compromised your email account. Now they can move on to more things.
More compromise: directly linked accounts
Many (if not most) non-email services require you to use an email address to identify yourself. That service would have its own password, of course, but your user ID would be your email address.
I’ll use Dropbox as my example. Say you have a Dropbox account and your username is your email address. In that account, you have several important files.1
Here’s what the hacker can now do:
- Go to Dropbox.com, enter your email address, and then click on “Forgot your password?” A password reset message is sent to your email address.
- Since the hacker has access to your email, they receive that message, click on the link, and change your Dropbox password.
- They quickly delete that password-reset message and any subsequent confirmation messages from your email so you’ll never see them.
- They sign in to your Dropbox and do whatever they want with it.
Once they have access to your email, they can reset the password on any other account for which you use that email. Now they can access whatever you do on those services or change the username and password, making you lose access to your own account.
They don’t even have to know you use these secondary services. Since they know your email address, they just try it on dozens, if not hundreds, of popular services, with the assumption that you’re likely to be using one or more of them.
More compromise: loosely linked accounts
In your question, you indicated you used a different email address for those other accounts, so the previous scenario wouldn’t apply.
There are two scenarios where hackers could still compromise those other accounts.
- Your Gmail account is listed as a recovery account for the service in question. You might have more than one email address associated with your Dropbox account.2 If your Gmail account is one of them, the hacker could still use it to attempt a password reset.
- Your Gmail account is listed as the recovery or alternate email address for that second email address you use.
- The hacker performs a “I forgot my password” account recovery on the second email address.
- A password reset is sent to your Gmail account.
- The hacker has access to your Gmail, clicks the link in the password reset email received there, and sets a new password on your second email account.
- The hacker cleans up his tracks in your Gmail account by deleting the password reset email and subsequent confirmation emails.
- The hacker now has access to both your email accounts.
- They can now perform password resets on any account where you’ve used that second email address.
There are more complex scenarios where accounts chained together can be sequentially compromised.
Does this really happen?
It’s absolutely possible, and we’ve definitely heard of it happening.
But I don’t think it’s common. Not yet, anyway.
That doesn’t mean it can’t happen to you.
You need to stay secure.
Using two-factor authentication will prevent the initial compromise or break the chain of compromise if more than one account is involved. With two-factor, knowing your password is not enough for a hacker to gain entry to your account. It’s my strongest recommendation.
Aside from that, the usual litany of password-related steps to take applies:
- Use long, strong passwords.
- Use different passwords on every different site or service.
- Use a password vault to make those two steps easy.
- Keep your account recovery information current in all your accounts.
And make sure to subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Please don’t get wrapped up in what is or is not stored in Dropbox. This is an example only. It applies to any online service you have using an email address and a password.
2: Again, only an example. I’m not even positive that Dropbox, specifically, lets you have an additional recovery email address. Some services do.