My friend has an iMac running 10.6.8 and lately I (and others) have been getting spam with his name on it that he didn’t send. You said in your article to change his password to Yahoo mail, but to also change his security-related information. I have no idea what that is. So what else besides his password should I tell him to change?
In this excerpt from Answercast #6, I look at the information that may be kept by your email provider for recovering your account and explore how to change it all to prevent the hacker from regaining access.
Become a Patron of Ask Leo! and go ad-free!
The importance of recovery information
There’s an article on this; it’s called “Is changing my password enough?” Basically, there are several things you want to be looking at.
The short answer is that you need to change any information that’s associated with that account that could be used to perform a password recovery.
What happens is:
- The hacker comes in
- Changes your password
- Gets access to your account
- You regain access to your account
- Change your password back, or change it to something else.
So presumably, now, only you have access to your account. But while the hacker was in there, he could have been looking at all of this other information that would be used to perform a password reset. You know, the thing that happens when you say, “Oh, I forgot my password.” Different email services use different pieces of information to verify that you are who you say you are.
So when you say, “Hey, I forgot my password,” they ask you to supply (maybe) the answer to a couple of secret questions, or they send reset information to an alternate email address, or they send something to your phone.
The hacker had access to your information
The hacker could have seen all of that. He could have set all of that so that when you change your password (and regain access to your account), the moment the hacker notices this, all he has to do is say, “Hey, I forgot my password,” and the password reset might get sent to an alternate email address he set.
The password reset might now be secret questions that he has set the answers to; the reset might involve the telephone that he has changed to be his number instead of yours in the account information.
Time to change everything
So the kind of things that you want to be changing or verifying to make sure that they are still set to what you expect them to be are: your alternate email address (to which password reset information might be sent), your secret questions, and their answers.
If the answers are visible, change them. Change them now. Change them to something else or choose different secret questions. If they were visible to you, then the answers were visible to the hacker while he had access to your account. Any telephone, mobile, or cellular information (to which reset information might be either phoned or texted) should be verified. Billing information sometimes is used for this.
Make sure that billing information (your home address, your credit card numbers, that kind of thing) to the extent that they are visible, have not been changed and are still yours. So changing your password is most definitely not enough. Those are the kinds of things to be looking for.
If the email, the spam, that you’re receiving is definitely from his account, then he definitely needs to be looking at this.
There are definitely some other scenarios where spam can look like it came from somebody else where their account is not hacked; but if it’s you and your friends (that are all in his address book), chances are his email account was hacked for awhile and he needs to go in and change all of that information.