You should be worried.
I’m not sure that I’d say you’ve been “hacked into”, but my guess is that your email account has indeed been compromised.
I’ll look at what likely happened, why this isn’t like other “Someone’s sending from my email address!” kind of issues, and what steps you need to take next.
Most email programs now carefully protect against unauthorized address book access.
While that’s still a possibility – and you should absolutely make sure that your anti-malware tools are running and up to date – it’s not nearly as common as it once was. Most email programs now carefully protect against unauthorized address book access.
What more likely occurred is that your email account has been compromised – meaning that you probably have an on-line email account, free or otherwise, that someone has gained access too. By virtue of doing so they now have access not only to your email, but to your address book as well. It’s all too common these days to hear of folks whose accounts have been compromised only to have all their friends get inundated with spam, threats, malicious emails or messages that try to impersonate you and scam your contacts out of money.
How this happened is difficult to say. It could be anything from a weak password that’s easy to guess, to your account credentials being sniffed in an open WiFi hotspot, to your simply having shared the account information with someone you should not have.
For all we know, it could also be a roommate walking up to your computer when you’re not using it and sending messages right then and there.
(And for the record, last year there was a partial account compromise at one of the larger free email services – account credentials were stolen without the users having done anything wrong. Same result.)
I’ve talked before about email that appears to come from you, but in fact does not. This is different. Specifically:
- Spam email is sent to random people you don’t know, “spoofing” the From: address to make it look like it comes from you when it does not. There is almost nothing that can be done about this.
- Email from stolen accounts is sent to people in your address book, and is not spoofed at all – it really is coming from your account. It’s just not you sending it.
Changing your password is not enough.
Not even close.
As I’ve discussed before, changing your password is important, but it’s not nearly enough. You also need to change any and all security related information associated with the stolen account. Why? Because the thief has access to all that too, and he can use that information to steal your account again. And again. And again.
The article Is changing my password enough? details the additional steps you must take if your account has been compromised.