There are a couple of possibilities.
Yes, it’s possible you got hacked, but it’s also possible that you didn’t.
As for tracking down the perpetrator, the news isn’t good.
Become a Patron of Ask Leo! and go ad-free!
Getting someone's password
It might seem like a common occurrence, but in reality, getting someone’s password is difficult unless they’re lax about their own security. Make sure you’re doing all the right things to keep yourself secure.
Email doesn’t imply a hack
If you’re basing this question solely on the email sent from your email address, then it’s very possible — even likely — that you weren’t hacked.
It’s more likely that someone is impersonating you. While that sounds dire, it really isn’t. All it means is that they’re sending email that looks like it came from your email address, and nothing more. It’s quite common. See Someone’s Sending From My Email address! How Do I Ttop Them?! for more information.
If this is the case, then the key takeaways are:
- It’s not your fault.
- You didn’t get hacked.
- No one knows your password.
- There’s nothing you can do.
Simply having an email address is enough for this to happen to you.
Getting someone’s password
No, it’s not that easy to get someone’s password, and certainly not from the site you mentioned.
There are two all-too-common scenarios, though, where people make it easier than it should be.
Password re-use. Using the same password on more than one site puts all those sites at the mercy of the site that has the worst security. If one site gets hacked or otherwise compromised and your password is exposed, then your accounts at all the other sites are immediately at risk of compromise.
Tracking down the offender
It’s nearly impossible for us mere mortals to track down the culprit.
If it’s just random From-spoofing spam, there’s almost nothing that can be done.
If it’s an actual compromise of the service you’re using, then it really depends on how the service operates. It’s possible they could track it down, but by that I mean only that the technology might support it. Whether or not the service keeps that information or even uses it is unknown. Even if they do, they are probably not willing to simply hand it out for claims like this.
More often than not, privacy concerns might require that laws have been broken and that law enforcement get involved. It’s not uncommon for a court order to be required to get the information from the service.
In other words: don’t get your hopes up.
While it’s not that easy to randomly compromise a password, it’s not impossible. That means it’s on you to stay safe. Continue to use best practices to keep your passwords, accounts, and your entire online presence as safe as possible.
And if you see spam that looks like it came from you, don’t assume a hack. It’s much more likely to be run-of-the-mill (though annoying) spam.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.