Your email account might be the weakest link, opening the gates to everything else.
There are a lot of variables here, so we’ll have to look at a few situations. Depending on how things are set up, yes, if someone can access your Gmail account, they could access much more.
Become a Patron of Ask Leo! and go ad-free!
Hacking one account to hack others
If your email account is hacked, it’s possible for a hacker to use access to that account to gain access to any other accounts referencing it. That would include accounts for which the email address is your login ID and any accounts for which the email address is specified as a recovery or “alternate” email address. Hackers can hack your accounts sequentially to gain access to more than just your email.
The initial compromise
So someone else has the password to your Gmail account. They can sign in even though you didn’t authorize them to.
We might call it a hack, a compromise, or something else, but the bottom line is that they can read your email without you noticing.
That last part is important to think about. For example:
- After reading a message, they could simply mark it as unread. If you weren’t looking at that exact time, you wouldn’t see it happen.
- They could forward a message you’ve received and then delete the forward from your Sent email and from Trash. Again, if you weren’t looking at that exact time, you wouldn’t see it happen.
- Perhaps worst of all, they could receive a message, read it, and delete it, without you ever having seen it. We’ll see why why all of these are bad in a minute.
Of course, if you suspect anything, change your password immediately and consider adding two-factor authentication. With two-factor, even if someone knows your password, they won’t be able to sign in as you.
Someone has compromised your email account. Now they can move on to more things.
More compromise: directly linked accounts
Many (if not most) non-email services require you to use an email address to identify yourself. That service would have its own password, of course, but your user ID would be your email address.
I’ll use Dropbox as my example. Say you have a Dropbox account and your username is your email address. In that account, you have several important files.1
Here’s what the hacker can now do:
- Go to Dropbox.com, enter your email address, and then click on “Forgot your password?” A password reset message is sent to your email address.
- Since the hacker has access to your email, they receive that message, click on the link, and change your Dropbox password.
- They quickly delete that password-reset message and any subsequent confirmation messages from your email so you’ll never see them.
- They sign in to your Dropbox and do whatever they want with it.
Once they have access to your email, they can reset the password on any other account for which you use that email. Now they can access whatever you do on those services or change the username and password, making you lose access to your own account.
They don’t even have to know you use these secondary services. Since they know your email address, they just try it on dozens, if not hundreds, of popular services, with the assumption that you’re likely to be using one or more of them.
More compromise: loosely linked accounts
In your question, you indicated you used a different email address for those other accounts, so the previous scenario wouldn’t apply.
There are two scenarios where hackers could still compromise those other accounts.
- Your Gmail account is listed as a recovery account for the service in question. You might have more than one email address associated with your Dropbox account.2 If your Gmail account is one of them, the hacker could still use it to attempt a password reset.
- Your Gmail account is listed as the recovery or alternate email address for that second email address you use.
- The hacker performs a “I forgot my password” account recovery on the second email address.
- A password reset is sent to your Gmail account.
- The hacker has access to your Gmail, clicks the link in the password reset email received there, and sets a new password on your second email account.
- The hacker cleans up his tracks in your Gmail account by deleting the password reset email and subsequent confirmation emails.
- The hacker now has access to both your email accounts.
- They can now perform password resets on any account where you’ve used that second email address.
There are more complex scenarios where accounts chained together can be sequentially compromised.
Does this really happen?
It’s absolutely possible, and we’ve definitely heard of it happening.
But I don’t think it’s common. Not yet, anyway.
That doesn’t mean it can’t happen to you.
You need to stay secure.
Using two-factor authentication will prevent the initial compromise or break the chain of compromise if more than one account is involved. With two-factor, knowing your password is not enough for a hacker to gain entry to your account. It’s my strongest recommendation.
Aside from that, the usual litany of password-related steps to take applies:
- Use long, strong passwords.
- Use different passwords on every different site or service.
- Use a password vault to make those two steps easy.
- Keep your account recovery information current in all your accounts.
And make sure to subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Download (right-click, Save-As) (Duration: 7:25 — 7.3MB)
Subscribe: Apple Podcasts | RSS
Footnotes & References
1: Please don’t get wrapped up in what is or is not stored in Dropbox. This is an example only. It applies to any online service you have using an email address and a password.
2: Again, only an example. I’m not even positive that Dropbox, specifically, lets you have an additional recovery email address. Some services do.
3 comments on “If Someone Hacks My Gmail, Can They Hack My Other Accounts?”
While many websites are setup to use an email address as a username, after setting up the account there are some that allow the option to change the username to something other than an email address.
I don’t use an email address as a username for any of my financial accounts, for example, and use a password manager to keep track of what I use as well as the passwords. I’ve setup 2FA on all of my email accounts as well.
My reasoning is to make it not worth a hacker’s time to figure out how to use my login data if it gets compromised because few of my login credentials even have the same username. And my recovery email address is not the same as my regular email address and doesn’t use the same provider. I’m not naive enough to think I’ll never get hacked, but I try to make it as useless as possible.
This article prompted me to post my thoughts about Internet, computer, and personal security when on- or off-line:
Thank you, Leo! What you write always makes me think, and I hope it was O.K. to use your website’s base URL in my ‘explainer’ section.
In terms of Gmail, to my knowledge, the most secure 2FA on that is to use a Yubikey (I just use the standard Yubikey which is the cheapest), but biggest negative with this is it’s not free. but I got mine at a discount for $31 for two of them back in late 2019 where as now, based on the typical price without coupon code etc, is $50 for two of them which is a bit too much if you ask me as I feel it should be about $40 tops for two keys as beyond that they start to lose their appeal unless that sort of money ain’t much for a person and they want maximum security/peace of mind. although at the price I paid I feel I got a good deal and was worth buying which is why I got them.
but you need two keys minimum tied to your Gmail account and here is why… if you only have one tied to your account with no backup way to get into the account and you lose that key your pretty much locked out of your account (and if you have any other backup to the account enabled besides YubiKey it defeats the purpose of using the Yubikey in the first place). but with two keys, you use one and store the other in a secure location in case you lose the primary key. so this way if you lose the primary key, you can use the backup key to login, remove the key from the account that you lost, buy another key, register it to that Gmail account, and now you have two keys registered to the account again. so you use one key and keep the backup stored in a secure location in case your primary key gets lost/stolen again.
also, I make sure the two Yubikeys are the only way to get into the account to so that no other method can be used to get in otherwise it defeats the purpose of using the Yubikey in the first place. this is most secure this way.
Yubikey works on Windows or Linux as long as you got a standard USB port on your computer. I use it on Linux Mint v20.3-Xfce myself but it does not work by default on Linux Mint as you basically go to… github[.]com/Yubico/libfido2/blob/main/udev/70-u2f.rules , select all of the text in that window (starting from line 1) by holding down left mouse and scroll down to select all of the text (currently 220 lines of text), right click on any of the selected text and select copy, then open Text Editor (xed), paste the copied text here, then save it with the name of “70-u2f.rules” and put the file into “/etc/udev/rules.d/” (so it should be at “/etc/udev/rules.d/70-u2f.rules”). then reboot your computer and then when inserting your Yubikey into the USB port it should now work as expected when you sign into your Gmail account where you are on login screen and enter your username/password and then proceed it will ask for the Yubikey which you insert and simply tap with your finger and then it will allow you access to your account like usual. you only need this if your signing in as if you generally stay signed in you won’t have to use the Yubikey all that often.
p.s. I don’t really use smart phones as I always opt for a proper computer (desktop (or laptop at worst)) to do stuff online in general. but if someone wants to use a smart phone to login to their Gmail, then what I mentioned above with the standard Yubikey (which is the cheapest option) is not for you.