I regularly hear from people who’ve had their email or other online account compromised, who somehow are able to recover access to it and change their password, only to have the account stolen almost immediately again.
The problem is actually quite simple, though the solution is a bit of work.
First, you have to realize that while someone else has access to your account they have access to everything related to that account.
Second, you have to realize that because of that, changing your password just isn’t enough.
You authenticate with most online systems by providing a user name and a password. Your username might well be publicly visible, but your password should be known only to you.
Most systems also provide a mechanism whereby you can recover or reset your password should you forget it. They use a variety of means, but they all boil down to the same thing: they use one or more additional pieces of information to validate that you are who you say you are, and then reset or reissue your password.
It’s those “additional pieces of information” that present the greatest risk once your account has been compromised.
Let’s look at some examples of what I mean, why they’re a risk, and what you should do about each in addition to changing your password.
Email address or alternate email address: Many if not most online accounts require your email address. In the case of an email account (like Hotmail, Gmail or the like) there’s often an “alternate” email address. Systems often provide the ability to send a password reset message to that email address of record should you lose your password. Since only you could have set it up, by definition that email address should be yours.
Once your account has been compromised, a smart hacker will immediately go in and change that email address to one that he has access to. That way, if you request a password reset, he’ll get it, not you. Similarly, if you change the password, all the hacker has to do is request a password reset, and he’ll regain access to the account.
What you should do: once you’ve regained access to your account, immediately verify that all email addresses associated with that account are yours. If they aren’t change them right away.
“Secret” questions and their answers: Many systems have you set up answers to questions as a second layer of security should you lose your password. The answers are typically to questions that only you should know such as your mother’s maiden name, your first pet or your favorite teacher. If you forget your password, many systems then simply ask you one or more of these questions. If your answer matches what you set up originally, then you must be who you say you are, and you’ll get your password reset and/or account access.
I put “secret” in quotes because this is one of the problems with the technique: quite often the answers aren’t secret at all. It’s recently been shown that even a little browsing on social media sites of which you happen to be a member can often tell potential hackers a great deal about you, including many of the answers to these so-called secret questions. Once a hacker has access to your account, it’s not uncommon for the answers to your secret questions be visible to him. If he’s smart – and some are – one of the first things he’d do is jot down the answers to all your secret questions, or change them to his own. That way, should you regain access to the account and change the password, he can just invoke the password recovery mechanism and regain access himself.
What you should do: once you’ve regained access to a hacked account, change all your secret answers immediately. Even if they’ve been untouched, the attacker could simply have written them down and know them all. Change them to something new – ideally answers that are completely unrelated to the questions, but that you’ll be able to remember in the future.
Mobile/Cellular information: Some providers allow you to specify your mobile number as part of your account information, and then can SMS or otherwise contact you via that information to perform password resets and more.By now you probably realize that once a hacker has access to your account they can change that number to be their own. Any mobile-based account recovery attempts are now redirected to the hacker.
What you should do: as soon as you get back into your hacked account, change or remove this information.
Billing information: It’s rare, but some systems will use billing information, such as a credit card number already on file, or your billing address in account recovery and validation attempts. If you have this kind of information on file, a) a hacker can start using it, potentially racking up charges that you may, or may not be liable for, and b) a hacker can change it so that if it’s used for account recovery purposes it’s the hacker that that’ll regain access and not you.
What you should do: change or remove this information as soon as you get your account back, and check with your credit card provider immediately for any improper charges.
By now you should see a distinct pattern: any and all information that can be used to recover your account should be validated, removed or changed the instant you get your account back. That includes personal information, PINs, secret questions and and answers, alternate email addresses and more – anything that the system you’re dealing with might use for account validation and recovery.
If you don’t, and the individual that hacked your account has even half a clue, it’s very possible that you could recover your account only to find it hacked again within hours or even minutes.