I regularly hear from people who’ve had their email or other online account compromised, are able to recover access to it, and change their password, only to have the account stolen again almost immediately.
The problem is simple, but the solution is a bit of work.
First, you have to realize that while someone else has access to your account, they have access to everything related to that account.
As a result, changing your password just isn’t enough. You need to do more.
Become a Patron of Ask Leo! and go ad-free!
Recovery information
You authenticate with most online systems by providing a user name and a password. Your user name might well be publicly visible, but your password should be known only to you.
Most systems also provide a mechanism whereby you can recover or reset your password should you forget it. They use a variety of means, but they all boil down to the same thing: they use one or more additional pieces of information — often referred to as recovery information –– to validate that you are who you say you are, and thus entitled to regain access to the account.
It’s that recovery information that presents the greatest risk once your account has been compromised.
Let’s look at some examples of what I mean, why it’s a risk, and what you should do about each, in addition to changing your password.
Email addresses
Many, if not most, online accounts require your email address. In the case of an email account (like Outlook.com, Gmail, or the like), there’s also often an “alternate” email address.
Once your account has been compromised, a smart hacker will immediately change the email address or alternate email address to one he or she has access to. That way, if you request a password reset, they’ll get it, not you. Similarly, if you change the password, all the hacker has to do is request a password reset, and she’ll regain access to the account.
What you should do: once you’ve regained access to your account, immediately verify that all email addresses associated with that account are yours. If they aren’t, change them right away.
Secret questions
It’s falling out of favor these days, but as a second layer of security, many systems have you set up answers to security questions. The answers you choose verify your identity should you lose your password, and so are questions only you should know, such as your mother’s maiden name, the name of your first pet, or your favorite teacher. If you forget your password, the system asks you one or more of these questions. If your answer matches what you set up originally, then you must be who you say you are, and you regain account access.
One of the problems with the technique is that often, the answers aren’t secret at all. Even a little browsing on your social media sites can tell potential hackers a great deal about you, including many of the answers to these so-called secret questions.1
Of course, once a hacker has access to your account, he can change all the answers to his own. That way, should you regain access to the account and change the password, she can just invoke the password recovery mechanism and regain access herself.
What you should do: once you’ve regained access to a hacked account, change all your secret answers immediately. Even if they’ve been untouched, the attacker could simply have written them down. Change them to something new — ideally, answers that are completely unrelated to the questions, but that you’ll remember in the future.
Mobile numbers
Many service providers are now replacing secret questions with the use of mobile or phone numbers instead. The concept is that when account recovery is needed, they can text or voice call that number with a code. You provide that code, which proves you are in possession of the phone. Since you set up that phone number, you must be the authorized account holder.
By now, you probably realize that once a hacker has access to your account, they can and do change that number to be their own, too. Any mobile-based account-recovery attempts are now redirected to the hacker.
What you should do: as soon as you get back into your hacked account, confirm that the phone numbers associated with it are still your own.
Billing information
It’s rare, but some systems use billing information, such as a credit card number already on file, or your billing address, in account recovery-and-validation attempts. If you have this kind of information on file, a) a hacker may be able to start using it, potentially racking up charges that you may or may not be liable for, and b) a hacker can change it, so if it’s used for account recovery purposes, it’s the hacker who regains access, not you.
What you should do: change or remove this information as soon as you get your account back, and check with your credit-card provider immediately for any improper charges.
The bottom line
By now, you should see a distinct pattern: any and all information that can be used to recover your account should be validated, removed, or changed the instant you get your account back. That includes personal information, PINs, secret questions and answers, alternate email addresses, and more: anything the system you’re dealing with might use for account validation and recovery.
If you don’t, and the individual who hacked your account has even half a clue (and many do these days), it’s very possible you could recover your account only to find it hacked again within hours or minutes.
You should also consider increasing the security of your account by adding two-factor authentication to prevent future hacks, as well as setting up any single-use or pre-defined recovery codes for those systems that support it.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
This may be the most valuable information regarding personal cyber security that I have ever seen. All the anti-virus programs and firewalls in the world will do little good if you’re blabbing your “secret” information to the world via social networking sites.
This is precisely how Sarah Palin’s e-mail account was hacked. A malicious individual, seeing publicly-available details about her, was successfully able to provide the correct answers to the security questions Mrs. Palin used for one of her e-mail accounts. Through this vulnerability, the hacker obtained access to the governor’s personal e-mail.
Thank you, Leo, for such thorough coverage of this personal security problem.
sorry for the necropost, but this case is exactly why i use falsified information as to security questions. i have random answers that are not posted anywhere else and are outright lies. simple lies that are easy to remember, but lies all the same.
And that’s exactly the right thing to do.
I fully agree with Tony M. Leo, you are ‘right on’ with your information.
Only one note, the good ISP’s will tell you to close down the ‘hacked’ account and create a complete new one. New user name, password, secret questions, the whole nine yards.
The 2nd email address could be used to break the hacker’s stranglehold on the primary account if the primary mail provider were to automatically refer to the 2nd mail address all changes made to password and proposed changes to 2nd mail addess – i.e. effectively pass master control of the primary account to the 2nd account. Do I get a prize for that idea?!!
A bigger problem is that the major webmail players have password recovery mechanisms that do not even rely of ‘secret’ questions, but rather a recollection or best guess of how you have used the service.
For example, GMail’s Password Recovery page starts with, “If you’ve already tried to reset your password and you’re still unable to access your Google Account, fill out the form below. Please answer each question as thoroughly and accurately as possible; the strength of your answers will determine if we can return your account. If you’re not certain about some of the dates, provide your closest estimate.”
The problem here is that a hacker gets to offer an alternate ‘alternative’ email address and answer a few questions about what other Google services the user might have used (along with estimates of dates) . . . and a few other tidbits that are not super difficult to work out. If the mix seems probable to Google they sent a reset email to the proferred alternate email address.
In other words, if a hacker can work out what other Google services this user has and the approximate creation dates, he or she had a pretty good chance of taking control of the account.
While I have had no difficulties in this area (knock on wood), I remain concerned. I check credit card charges at least twice a month and my credit card and debit card likewise, so I think I’m on top of this problem. Incidentally, my ISP has withheld emails because they are questionable and appear to be complete strangers to me.
I believe that my computer has been compromised to a degree. Several months ago,I don`t even remember when, I checked to see if I was the only name logged into my computer. To my amazement I was NOT the only person logged in. I kinda freaked and shut my computer down without writing down the “other” name.I have checked back often but found no one else logged in; this might be due to the fact that I have gotten a router.Just a couple of weeks ago I was going to log into my yahoo email account but I saw my computer password already typed into the space provided. I still get those stew-pid nigerian scams about money but, I always just delete them. I believe the unsolicitated emails of offers to view womens` private photos and chat sessions with unknown women,supposedly are nothing but hacking or spoofing scams. My yahoo email account hasn`t been hacked but I have suspicions that my computer is watched by parties unknown.
In regard to ‘secret’ questions; if you have a set question there are limited ‘truthful’ answers. Try using one or two universal answers for all secret questions on all your web-based security. Like, Mothers maiden name? Venus, or blue whale, or Mitsubishi, or River Phoenix, and First pet you had? River Phoenix, Mitsubishi… etc.
This makes guessing the answers nearly impossible and we’ve now made the answers endless, rather than the limited truthfull stock – AND it makes ur answers easy to remember IF you stick to the same ones all the time.
FYI – Some profile setting areas in some web sites will show you your ‘secret answers’ which make the secret viod if you account is hacked.
Leo, I have read a few of your articles. I have had the ‘free email – hotmail problem’ where my hotmail is sending spam email (always the same email, copied below – hope that’s ok… but the link is in it). I have changed my password. I have tried to contact hotmail on windows help, but no reply. http://windowslivehelp.com/thread.aspx?postid=7B1464C2-0DA5-4A0B-85A3-C6BF19B4DF4A#7B1464C2-0DA5-4A0B-85A3-C6BF19B4DF4A.
I have used my hotmail account for some time and would hate to give it up and lose touch. Do I have any choice but to close it? I can’t seem to get any help from hotmail / answers on the windows forum.
Thank you for your good articles and links to more of your articles… I found it good to know that really there isn’t much I can do… but I thought I would ask: Is there anyway to report this email to an authority?
Thanks.
SPAM email below
Hi,my friend,
I find a good website,I would like to introduce it to you It will give you big surprise:excellent products,high quality competitive price.If you are free, please visit it: [link removed] have a nice day! ~–b
26-Mar-2010
Thank you so much for this. My gmail account was hacked just this morning, and although I logged the hacker out and changed my password to a much stronger one, I hadn’t thought about any of these other possibilities until I read this article, and I’m so glad I did.
I have always added a contact to my e-mail contact lists. I add: aaaaaaaaaaaaa@aa.com
Since this does not exsist, and will be the first email address to be used (alphabetically) anytime mail is sent from me (bulk, all included) I get a notice that it could not be delivered to that account. Since I know I would not have sent to that contact, I know something is wront.
07-May-2010
I do have a couple of my different addresses in my address book.
Unless they are alert, I would get a copy of the message(s) sent out.
I had to go to the “site permissions” page on my AOL account and found there were three sites I had “given permission” to access my account, I deleted them all and changed password and security question. Hope this does it. I was unaware there was a site permissions page.
TODAY ONE STEAL MY EMAIL AND ASK ALL MY CONTACT LIST TO SEND MONEY TO ME IN LONDON I AM AT HOME IN EGYPT IHAVE CHANGED MY PASSWORD DO YOU NEED DETAILS TO FOLLOW .YESTERDAY I HAVE RECEIVED EMAIL FROM YOU ASKING INFORMATION AND PASSWORD IT IS FROM YOU ??DO YOU NEED COPY GIVE ME YOUR EMAIL TO SEND .HESHAM KHATTAB
I just read your article and found it incredibly helpful! I changed my password, changed my secret question answer to one that is hopefully hard to guess and checked all of my other information. Thankfully I started this email address when I was 17 and was too busy to add a lot of info on the account page so all it really has is my email address that they already know, my secret question and that I live in the USA. My question is: do you think that since there isn’t really any other information on there and I changed what was on there, should I be safe now or should I do something else? I really hate to have to change my email address, I’ve had it for ten years and everyone knows it :/
This was helpful and to let everyone know what to do,Thanks,Jennifer B.
I’ve changed my email password and security question answer to something that is not recognizable. I also also deleted my alternate email. Ads are still being sent to my contacts. What else can I do?
Thank you
Quick Side Note: do a Google/Bing/Yahoo Search for your Email Address. If any Results POP up with your address… then its guaranteed that SPAMMERS already have your address, and have been causing mischief.
Okay, Moving on:
If you are being Blamed for SPAM’ing People who you do NOT know, and by people that you have NEVER emailed before (aka, ‘Strangers’)…. then its probably NOT you. Your account was ‘probably’ Never compromised.
However, If you are being Blamed for SPAM’ing People who you Do know, and by people who you DO email (aka, ‘Your Friends’)… then your account COULD be compromised.
In fact, if almost Everyone who complains is one of your ‘Friends’; and they ALL say the Spam came from you, then take it as a Higher & Higher probability it’s Your Account thats the source.
Most likely, Your Email account Was hacked at some point in the Past, the hacker exported out your entire AddressBook; and has now finally begun Spamming all your addressbook-friends.
****
Important Note: 10 years ago, the spam came directly from your friend’s infected windows pc. once he cleaned the infection, the spamming stopped.
However, this SPAM 2.0 has a new TWIST: the spam is being delivered via someone’s open-relay-server. removing the infection on your friend’s windows pc will NOT stop the Spam from the Relay server.
***
Let me Over-simplify with this quick analogy:
It is the equivalent to ‘Me’ Crashing ‘Your’ Wedding, then Copying down All the Names & Addresses of everyone who signed ‘your’ GuestBook, then ‘me’ quietly sneaking out the back door… and then 2 weeks later i start phoning all ‘your’ Guests asking them to buy this magic Viagra medicine… but i pretend to be YOU on the Phone!!!
if you can Grasp this Analogy… then now you Understand the full problem.
EVERYBODY who signed the Guestbook loses in this scenario. You ‘could’ Close out your email account and go get a New one (Change teh locks on your doors, change your phone#, and/or move to a new House); but the SPAMMER (me) still has the contact info of ALL your Friends… So they are STILL going to get annoying phone calls from Me.
Thus, no real escape for your friends… Unless they ALL Change their Phone #’s and move to new houses as well (Highly unlikely).
But even if they Did… as soon as i Crash the Next Wedding… the cycle will Start over again!!
Best Solution:
Go get a Drink!
There is yet another problem.
A bad guy could set up a forwarding rule such that all your email is forwarded to him. No need for passwords after that. You still get your email and the bad guy never needs to logon to your account again, after the first time.
Probably a good idea, after a webmail password is stolen, to review ALL the account settings.
20-Dec-2010
One little trick I read about: in case you have been compromised, and there is a change that a key logger has been installed on your computer. Changing your passwords might be pointless since all your key strokes are being watched.
A temporary way around this a the Ease of Access On Screen Keyboard (don’t know if Macs have this). From what I understand, clicking the keys via your mouse doesn’t get recorded on the key logger.
I’ve recently changed all my passwords because my social network account was comprised. I changed my security questions and answers to something you wouldn’t know just from looking around my Facebook account.
I’m probably going to reformat my computer anyway, just to be safe. Its annoying, sure, but I’d feel better knowing I’ve wiped my computer of anything my Norton probably missed. Good thing I have back ups.
28-Feb-2011
Your articles were THE best of any I was able to find on the web. Most other sources did not provide enough details on what to look for to understand what the hacker actually did. You laid out the nuances of the way an account can be hacked and the signs to look for to tell what they actually did..like do you have emails sent by the hacker in your sent box or not. Very helpful. THANKS!
Will it do any good to change my EMail address
and password?
16-Apr-2011
So, there’s nothing that can be done if someone has copied all of your email addresses and you have already changed your password and secret answer many times?
I am more worried that my friends are getting spam from “me.” If I totally change my email address, delete the old one, will the spam continue?
01-Jul-2011
My account has been hacked and all of my contacts have been sent a link to a webpage. However of the things you suggested to look for nothing appears to have been changed (i.e. mobile number, back up email) i have changed my password and security question but am doubtful of how much this will help so was wondering if there was anything else you would suggest? My iphone is also linked to my account so i dont know if this could be the problem?
05-Aug-2011
I just found out my family account was hacked (the “want more pleasure?” link was sent to some of our contacts.) The thing is….does it for sure mean some person in another place was sitting there, going through our account? it’s our head account, which is connected to your ATT account, which lists our address and phone number. Should I panic?
05-Sep-2011
A few months ago my husband had the same problem. We ended up deleting that email and giving him a new one. We had no more problems, until a couple days ago when my att yahoo mail became compromised. I really need to keep this email address. So I am trying to stop this by changing things such as password, a new sign in key, and changing anything in the options on my account that may have allowed this compromise. Then I discovered it would not allow me to access my contacts. I’m still working on that….
Of late my contacts are getting emails from me about weird stuff that I never send them.I have changed my password and all security questions.Is there anything else I need to do? Is my account information safe? Will I have to make a new account?
@Meenakshi
You’ve done right to change the security questions and password. Doublecheck those and also make sure your phone number is correct. Keep an eye on that account and make your password really really hard.
Here’s another article on Ask Leo! that has some good info on the subject:
Someones sending email that looks like its from me to my contacts what can I do?
how can i change the alternative e-mail, who is not mine, my e-mail has been hacked and there is another alternative e-mail. Please tell me how to change it, because when i want to change, the e-mail goes to that another alternative e-mail.
@Bess
If your email has been hacked and the password and alternative email had already been changed, then it may be too late to recover your email account.
thank you very much. i hope it would help me not to be hacked again.
someone told me only PCs get hacked. Apples don’t. Is that true?
02-Mar-2012
@Diane,
It’s not so much that Apples aren’t hackable, as that there is so many more PC’s. So hackers concentrate their energies on the easy pickin’s
I’ve changed my password, and there is no additional hacker activity on my account. Now I would like to change the other items – phone no, secret question, etc. However, the alternate email address I gave three years ago is no longer active. Is there a way to get hotmail to let me change the other info?
I have two hotmail accounts. I can’t sign out of either. It tells me to erase all cookies. I have it set up so I have to sign in each time. Not sure what to do. My address book was hacked and porn emails went out to all my contacts. I did all of the above, but actually there wasn’t much to do. No secret questions or alternate email addresses. I just have this haunting feeling it’s open all the time.
My email address starting sending out spam today. (The culprits may have waited deliberately till April fools day for this.) It sent out an email to a number of recipients from my contacts list. I only discovered it by accident because one of these addresses is now defunct. The email bounced back, showing me the list of recipients.
So here’s an idea TO LET YOU KNOW pretty quickly if your address is sending spam. Enter a dummy fake email into your contacts list. Then it will be sure to bounce back, letting you know within good time of unauthorized activity.
My email has added over 1500 friends in the past week, and an incredible amount of spam has been entering and leaving my account. I’ve followed the necessary steps of changing my password and other important information like it says above, but is there a way to easily delete all the spam and unwanted friends from my email? The spam, I hope now that I have changed my password and such, will stop, but is there a way to just delete all the emails listed as friends? I use hotmail, but it limits me to just deleting 25 per page.
Someone used my wife’s email address, her name and telephone number to schedule a medical appointment. Is this an identity theft?
22-May-2012
This is great info. My account has only been hacked by someone entering an event in my calendar and changing the name of a contact –actually my daughter. I have changed my password and security question and worked through other things on this list. How will I know if the hacker still has access?
i forgot pasword and may yahoo are block because one person hack may acount please help me..
@Norman
We cannot recover hacked accounts, lost or forgotten passwords. Please see this article for more information on your options:
Would you please recover my password? My account has been hacked or I’ve forgotten it.
Leo has great info here
SUGGESTOIN
SECRET QUESTIONS
do NOT ANSWER THEM appropriately
MAKE up answers to them – Favorite Dog’s name – automobile
WHO CARES what the answer is !!!
Now, the important part is
USE A PASSWORD MANAGER PROGRAM – I use KeePass
AND, in a FREE TEXT NOTES field per entry, RECORD the SECRET QUESTIONS, and their answers !!!!
Yes, this makes it important that if you are working on a specific logged in account, yhou need the data inside that password manager to access parts of the account.
BUT, that is the PURPOSE of SECURITY –
it may make it a little harder on you, but YOU are PROTECTING YOUR DATA !!!!
And with the government freely allowing hackers to HACK the government employee data, AND the data on relatives, etc, then MAKE YOUR DATA HARDER to access !!!!
And, regarding two-factor authentication –
it is NOT a breeze to use. Suppose I’m at a computer and I DO NOT have a phone with me , or battery is dead – and the two factor authentication is the phone??
I’m cooked
Alternate email, or codes sent to email, does help somewhat more,, because if I’m at my computer, I probably have access to my email (but not always)
There are other alternatative methods also, but no one has made an easy system, in my opinion.
anyway, this is just my humble two cents worth
nick
Most all two-factor authentication schemes (at least those done properly) allow you to ALSO generate one-time passwords that you keep in a safe place. Each can be used exactly one time – long enough to login and turn of 2FA if you’ve lost your device.
I’d add to what Leo said, that in case you ever really need to change your password,for example, if the passwords were really compromised, adding even one character er would make it a completely different password, over 100 times stronger than the previous one. So you might keep that in mind for the future.
I’m using the same password since the early 90s. The original was 7 characters, it grew to 10 and I’ve added a few gradually ever since. The last few characters are unique for each important website and application.
In a case like LastPass where an email address is associated with your account, and it’s too difficult to change your password, you can simply change the email address associated with your account. That way, even if they were able to crack the email-password combination, they wouldn’t be able to associate the cracked password with the new email address in a million years (almost literally).
Check your email account activity for unauthorised access logins .
Hotmail/Outlook/Gmail provide this service including a drop down map, date and time of attempted and successful access of your account..
I get attempted unauthorised attempts every week from around the world and from other states .
Successful logins from a location you do not know are the signs to look for.
Google for procedure.
Recently all my gmails have been sent to the Trash before they
are retreived in the inbox.There is no problem in sending out.
Your advice & help to solved this is much appreciated.
I have already reset my password & clear all filters etc etc
TQ
Only thing that comes to mind is anti-malware tools – they’ve been known to do this when using a desktop email program from time to time.
Here’s the best way to handle the personal information questions. Don’t answer them as yourself, answer them as someone else such as your uncle, mother-in-law, a character in a book or movie or (my favorite) your imaginary friend. Of course your must never reveal who this person is to anyone.
For questions such as elementary school for a movie or TV character, such as Tonto of the Lone Ranger, you will have to come up with a “interesting” answer such as “Hogswarts”.
The answer obviously does not have to relate to the actual questions ..you can put red ,yellow and blue ..providing you can recall if your first school was blue ..or was it yellow or maybe red ?
Hogwarts would be an easily guessable school name.
Hmm. When passwords are changed, are active logins forcibly closed by the server? If not, could a hacker not maintain a connection to the account, see that you have made changes, then change things back? Yes, he may not be able to recover your new password, but as you wrote, all data needed to once again reset the password could be changed back in his favor.
Changing a password should force the open session to close. This would be the case on a well designed website such as Facebook and the big name email providers. A poorly designed website might not log you off.
This depends on the service itself, but in general a password change does invalidate other sessions.
Thank you Leo, an excellent article. Much I had not previously considered, lets hope I never need to use it.
Nice article….Good timing too.
Just two days ago YouTube notified me that someone in Russia tried to use my account and that they denied access since it did not match the devices or locations I normaly use. They recomended that I change my password which I did. I didn’t think much about it at the time figuring “no big deal”.
Now after reading your article I went back to my YouTube account and started looking around. What I noticed was that while I thought it not to be important at the time I found that if the “hacker” had gained access could have gotten a massive amount of information. What I search for. What I watch. Etc…..
Now this has gotten me thinking and I deleted my search history and will go back and do mostly the same to the rest of my history’s.
Now while there was nothing illegal with any of my activities, it may have had stuff I wouldn’t want my grandkids to know about.
Thanks for getting me to think about it………….Alan
Hazardous unexpected Cloud phenomenon:
July 3rd wrestled with a seriously recalcitrant Trojan on a customer’s Win 8 machine, which she had purchased from Staples as a floor model. It apparently had been used by Staples as a demo for several months, including access by their customers, who screwed it up. Firefox had been installed at Staples but from a “rogue site” which infected the machine. Then, they [Staples] loaded Trend Micro plus AVG plus a couple of other “freebie” anti-malware programs, all at the same time, before deciding to unload the problem on a naive customer.
I dug out everything and finally managed to install Vipre Internet Security which promptly caught and quarantined many copies of the same Trojan plus hundreds of adware PUPs. I ran several deep scans, only to have the Trojan get caught each time. What I finally figured out was that Microsoft Skydrive had been setup, not used by the purchaser, but the infection was hiding files in Skydrive on Microsoft cloud servers! That is beyond the reach of any anti-malware program scanning on a local machine… I uninstalled Skydrive, scanned twice more and am no longer getting “hits” for that Trojan…
Generally, when selling a floor model computer, the store should do a fresh reformat and install. A computer bought with malware is defective. If it’s still under warantee, your client should be able to bring it back, explain the problem and have them reinstall a fresh version of Windows. Before bringing it in, I’d recommend a full image backup to preserve any of your client’s data on the computer
The right solution in a case like this, IMO, is to wipe the computer and reinstall the OS from scratch. There’s simply no way to know what has been done to a floor model, and with so many people having access to it over the months it’s certain that whatever was done wasn’t good. I’d never accept a computer from anyone without the ability to install from scratch or restore it to a pristine condition.
I would like to change my email – address from {email address removed} to my real e-mail address {email address removed} of the
owner of this computer that is CHANIDA PANPATTANANON , PLS.
You can’t change your email address, but you can open a new one an start using that.
https://askleo.com/how_do_i_change_my_email_address/
Hi,
It looks as if someone is sending emails from outside my email account, but they are putting my email address in the from header.
They are not send from my mail server, and the only reason i know that once each two weeks they get send is because i get suddenly 100s of rejection notification as if I tried to send that email.
Is this possible? Any way to get rid of this problem.
No way to get rid of it. From spoofing is very common – in fact, it’s so easy that you could do it from your email client for anyone else’s email account (don’t though…).
This article will help you understand it a bit more: https://askleo.com/someones-sendin/
i need to remove this hot mail {removed}@gmail.com my laptop help me
Here’s an article on that, but if you’ve forgotten the password, you won’t be able to close it.:
ask-leo.com/how_do_i_delete_my_gmail_account.html
i have forget the password of this hot mail in my laptop {removed}@gmail.com
We cannot recover hacked accounts, lost or forgotten passwords. Please see this article for more information on your options:
http://ask-leo.com/would_you_please_recover_my_password_my_account_has_been_hacked_or_ive_forgotten_it.html
If this is a Hotmail, MSN.com, Live.com or Outlook.com account, then this article discusses recovery options for the various ways that these accounts can be lost or compromised: http://askleo.com/what_are_my_lost_hotmail_account_and_password_recovery_options/
Set up second-factor authentication on all accounts where you can. Then when you login from an unknown device you need to enter a number generated by an app. together with the password. Just using a password is insufficient these days.
In my list of contacts my email address is duplicated but with a different name. I assume that person gets emails sent to me…
I can’t figure out how to delete it