Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Someone Has Stolen My Email Address. Can You Help?

Question:

Dear Mr. Mrs.

To home is my concern from couple months ago some one has my e mail
address stolen and I dont know haw I can report for this till some one
till me about this web Sid and my email address was ******@hotmail.com
and my password is 123456 please give me an answer as soon as you can
you can call me ###-###-####

Thank you
Email owner
(name redacted)

With the exception of the obviously removed information, this is a
question exactly as I recently received it, sent to my personal email
address.

Now, set aside the fact that this email is clearly written by a
non-English speaker; that's very common, as the site is visited by
people from all over the planet.

There are several very serious problems with this email
that I want to make sure you never, ever duplicate.

Can you see them? One of them is absolutely frightening.

]]>
<![CDATA[

Become a Patron of Ask Leo! and go ad-free!

First, let me give the answer I gave to the questioner:

You can try the instructions on Windows Live Hotmail's What to do if you think your
account has been stolen
page.

Now, I'm not hopeful, and you'll see why in a moment, but it's worth
a shot.

"What's wrong with this scenario? Let me count
the ways."

What's wrong with this scenario? Let me count the ways.

  • I did not obfuscate the password above. This
    persons actual password was "123456". My first reaction? No
    wonder your account was stolen. This is absolutely frightening.
  • A couple of months? Perhaps within the first few
    days of a theft you stand a chance, but after weeks, or months my
    belief is that things are pretty hopeless.
  • She gave her password to a total stranger. Yes,
    that stranger was me, but she doesn't know me, and has no clue on how
    trustworthy I may or may not be. She contacted me using a different
    Hotmail account, but given her abysmal choice of password for the first
    account there's a very high likelihood that she kept using the same
    password for the new account, or one just as easy to crack.
  • She gave her phone number to a total stranger. Once
    again, me, but still it's clear that even after having her account
    stolen privacy and security lessons have not yet been made apparent.
    (And no, I'm not calling her - that's just not something I do.)

So, after all the fault finding I've just indulged in, what can you
learn from this exercise? How can you stay secure?

Let's just turn each of my concerns around:

  • Use a strong
    password
    . Always. No excuses. Keep it safe, and share
    it with no one
    .
  • Act quickly if you suspect that your account has
    been compromised. Use the resources available to act on your situation
    as quickly as possible. Hotmail users have http://windowslivehelp.com/ specifically for Hotmail
    support and discussion.
  • Keep your private information private. Don't go
    throwing your phone number and most certainly not your password to just
    anyone in the hopes of getting help. There are too many people out
    there who will abuse your trust and cause you more trouble.

I honestly don't mean to make fun of or shame the person with the
original problem - in fact, I responded to her well prior to posting
this article, not expecting her ever to return to my site anyway. My
hope is that by pointing out the deep flaws in her approach to
passwords and privacy that some of you who might see even vague
similarities with your own approach will rethink your situation, and
take steps to keep yourself more secure.

Sadly, the other thing that's frightening about this scenario is
simply how common it is.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

13 comments on “Someone Has Stolen My Email Address. Can You Help?”

  1. The same thing happened to me for my Hotmail and Facebook accounts, since they had the same password. My original password was great. It contained upper case, lower case and numbers, but the person was able to change the password because she could answer the security questions when you have supposedly forgotten your password. Facebook supplied the birthdate (I have since deleted the year) and I have changed my identity question, which I had forgotten about completely. It used to be the name of my first dog, however, this person knew the answer. I am pretty sure I know her identity, but can’t prove it. I calmly sent an email to my captured accounts and asked that a password I suggested be used and they be given back to me. The person complied and sent an email back to me. By getting it into Outlook and looking at the information in the header, I was able to determine where the server was.

    I was rather upset at Microsoft, though. They were unwilling to give me more information on the activity of MY ACCOUNT and the location of the computer that was using it while it was stolen. If I am right that they could have zeroed in on it, I think that the laws need to be changed. Like your record at school, you should be able to see the information in your account – where you sign on.

    I approached the person who I think stole my account, but she denies it. I have since changed my password, although it is no more secure than the first one, which was very secure, but I have changed my identity question on Hotmail.

    By the way, this same person tried to change my password and hijack my account in Yahoo. Fortunately, their security question allowed greater flexibility, so it wasn’t about my dog, but something I would only know and I had a different password, which also involved numbers, upper and lower case.

    Reply
  2. To keep my email accounts secure, I answer the security questions with something that only I would know (because the answer makes absolutely no sense to the question).
    For example:
    Q: What is your favorite flower?
    A: cat

    This way, someone cannot guess a series of flowers and hit upon the right one.

    Of course, you must make sure that YOU remember your wacky answer or you will be in trouble!

    Reply
  3. Yes, those common questions are a weak spot. I have a couple of very simple solutions for the problem:

    1. don’t pick a question that has a very limited answer set like colors or car makes.

    2. When asked for personal information in online forms my first response is LIE LIKE A RUG!!!! Do not give true information unless absolutely necessary. ie give them a first name but last name “aaaa”, address “000 anystreet ave”, phone “000 000 0000” etc. Read this article for a scary view of personal information security:
    http://www.schneier.com/blog/archives/2007/12/anonymity_and_t_2.html
    In it he talks about techniques that can be used to “de-anonymize” anonymous information ie
    (snip)
    Using public anonymous data from the 1990 census, Latanya Sweeney found that 87 percent of the population in the United States, 216 million of 248 million, could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth. About half of the U.S. population is likely identifiable by gender, date of birth and the city, town or municipality in which the person resides. Expanding the geographic scope to an entire county reduces that to a still-significant 18 percent. “In general,” the researchers wrote, “few characteristics are needed to uniquely identify a person.”
    (/snip)

    So unless your personal info is truly required, like mailing info for an online purchase, there is no reason for you to enter correct info.

    Reply
  4. I think the most important aspect is the password. Even if its about your favourite TV show, actor or sportperson always insert numbers, lower/upper csse combinations, and special characters(if allowed) into the password. Also don’t just give the bare minimum number of characters. Give atleast 8-10 in the password.

    The security question is your secondary defence, the password is the primary one so make your primary defence as strong as possible.

    Reply
  5. I’m in the UK and recently we’ve been treated to one of your tremendous televised serials “Damages”. Therein Patti Hughes offers the best advice to all of us. “Trust no-one”. Sad, but true and something we need to remember when choosing passwords and security questions.

    Reply
  6. This was an eye opener. Having been taught to always tell the truth I’ve always put in the true address or info required…now I’ll do the “color”/”cat” thing with a different twist. I’m sure nobody knows my father’s name but I’ll be safer from now on and try to be more creative and instead of having it remembered, I’ll keep a log of my stuff and keep it in a paper file.

    Reply
  7. Good tips on security. The first reader comment also struck a chord. Social networking is all the rage now, but we must not forget the fatal pitfall of sharing loads of personal information with our “friends”. Even my Yahoo profile asks for far more than I am willing to divulge. And, as if the social sites don’t get personal enough, (too much) if you answer the endless stream of “20 Questions” e-mails, you’re giving out most of the answers to most of the common security questions available. Let’s stop the insanity and keep our Alma Mater, pets’ names, favorite movies and boxers or briefs preferences to ourselves!

    Reply
  8. Hmmmm…I’ve never has any problem with my profile or email address being compromised.
    However…this article has made me more aware
    of the big picture. From here on I will be more carefull with my profile/personal information.
    Thanks a bunch!!!!

    Reply
  9. I would like to suggest having 1 or more email addresses from another provider. When I went to reinstall my ISP I forgot my password, and found that the one I wrote down was an older one. Fortunately I gave my provider an alternate email and was able to get the password, and change it. By the way I was discussing the Conficker with friends and was appalled to find out they did not update their windows, and she just made files and dumped unopened mail into them. Sigh.

    Reply
  10. To keep up with passwords, account information, etc, I suggest an application like Password Safe (passwordsafe.sourceforge.net). I can store Usernames, Passwords, and any other information about that site (challenge/response) in one place. I only have to remember 1 password to open the database, and then I have access to all my account information.

    Good suggestion about ‘flower/cat’ – I’ll start using that!

    Reply
  11. Love the “flower/cat suggestion. Whats the procedure on applying “Password Safe”? Now that is a very, very good idea, especially for me as I have trouble remembering what happened yesterday.

    Reply
  12. I have found that a few sites will allow a space in the middle of your pasword. Combining this with my (German) grandparents last name, a space for a missing letter and close with a number.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.