What to Do if Your E-mail Account Gets Compromised

Symptoms:
People listed in your e-mail contacts report being flooded with spam messages sent from your account. Or, you start receiving a bevy of "bounced" e-mails from random addresses you don't know. You aren't able to log into your account or change its settings, or you've discovered the settings have been altered. You attempt to use e-mail, and find it has been blocked by your provider.

Diagnosis:
Start with the obvious: If your password no longer works for your e-mail account (and it's definitely the correct password), you can be almost certain that someone else has taken control of it. And if your e-mail provider has blocked you completely, it's probably because your account was spewing out spam by the millions, forcing your provider to shut it down until you regain control. This is a good thing, and you'll get it back. Likewise, learning from friends that your account has let loose a firehose of spam (which sometimes can be verified by checking the Sent messages folder in your account) pretty much confirms that some scumbag has figured out your password. Losing control of your mail and password combo can be especially calamitous if, like far too many people, you use the same ones for all the online sites and services you use, such as social networking, banking and PayPal. Even the dumbest hacker will do a quick e-mail search in your account to scrape for login info on other sites, and, in no time, will assemble a pretty good portfolio on you. Depending on the ambition and skill set of the hacker, on the time between when your account was compromised and when you discovered it, and on how secure your various online accounts are, your level of pain may fall anywhere between minor annoyance to personal and financial meltdown. Time is of the essence, and don't underestimate how deep this thing can go.

Bounced messages are the digital equivalent of "return to sender, address unknown." On their own, bounced e-mails from strangers usually mean that a professional spammer has been sending spam with your e-mail address in the reply-to field (a process called "spoofing"), and hasn't actually breached your e-mail account. It's a crucial difference; having your account password compromised means your entire collection of e-mail correspondence has been exposed, while a spammer spoofing your address doesn't actually control anything. Unfortunately, while it's often possible to take back control of an infiltrated e-mail account (see below), once a spammer begins spoofing, you have no real recourse.

Causes:
While there aren't any hard and fast figures on what the number one cause of e-mail infiltration is, the overarching theme usually points to one extremely weak link: user behavior. Despite the many ways an e-mail account can be hacked, the one common element is that you, the owner, essentially allow it.

Every few years, studies show that the one reason spam is still so prevalent is because it actually works -- a percentage of knuckleheads can always be expected to open a spam message, read it, and be tempted by whatever wares or schemes are offered. Of course, many of those e-mails (and sometimes pop-up windows from strangers on IM, Skype and similar apps) are actually phishing attacks that dupe recipients into believing they've been sent a legitimate message from a business or friend. Naive users will then reply with the requested login information.

A fair number of people also think nothing of checking their e-mail on a public computer -- in a library, electronics store or Internet cafe -- and simply neglect to log out. It's a momentary lapse of reason (particularly since we don't recommend checking e-mail on any public computer), and can be the equivalent of walking away from an ATM right after entering your password.

The other gargantuan user misstep is having weak, easily determined passwords, or using the same combination of login e-mail addresses and passwords across different sites. If a hacker breaks into one site, they can quickly try the same logins on all the popular sites -- to potentially devastating effect. But, before you beat yourself up, it's also possible that your login information has been stolen because your PC, or one you've used, has been infected with spyware or some other assorted malware. (See our related story for more info.)


Treatment:
Depending on the kind of hack you've been dealt, the treatment may be as simple as logging in, and changing your settings and password. Or it may entail agonizingly repeated attempts to lock out a persistent hacker, potentially killing off your account altogether. But you should never just give up and ditch the account without trying to deal with it first.

If you aren't able to log in, you're likely going to have to go through some frustrating hoop jumping. Conveniently, Twitter's help page has a handy list of links for all the major e-mail services' support pages.

Each service has its own method for determining that you are who you say you are, and are not the person who hacked -- or is planning to hack -- your account. Besides pre-set security questions, they may ask specific details about messages you've sent, and even the exact day you set up the account. If you don't have a copy of your initial registration e-mail, try contacting a close friend whom you would have e-mailed at the time, and ask them to dig into their archives for your early missives.

If you can log in:

Make sure your PC is current with OS updates and anti-virus/malware software. Otherwise, if it has been infected by malware that spies on you, it will continue to transmit your info to whichever hacker has infiltrated your accounts. If you aren't completely sure your PC is clean, then don't do any of the following. Any changes you attempt to make could be forwarded on by malware, too.
Depending on how your account has been abused, you may not need to contact everyone spammed by your hacked e-mail. (Your scam-savvy friends will recognize bogus messages as spam.) But, if there is a personal appeal for money -- saying you're stuck traveling and need cash, or are hurt and in a hospital -- or if malware was attached, you should send word to your contact list to delete those messages ASAP.
Set up at least two new e-mail addresses. Use your original e-mail address for personal or business communication as you'd normally do. The secondary e-mail address is insurance against future hacks; use it to communicate with your service provider, since many now ask for an alternative address as added protection. Then, use a third e-mail address only for registering for sites, newsletters, online shopping and other services. It may seem paranoid and excessive (hey, that's us!), but the idea is to compartmentalize your online life a bit. That way, each "world" has its own discrete e-mail account, and will minimize the damage that can be done by any future hacks. Most importantly, though: use a different and strong password for each account -- one that is at least six characters long, and is a combination of letters, numbers and capitals/lowercase. It sounds difficult, but it isn't. It'll help prevent any hacker from gaining access to all of your data simply by infiltrating one site.

On a secure PC, log into your e-mail and then check whether or not any of the settings have been changed by a hacker. Smart hackers may set your account to notify them of any changes, so that they can go back in and switch things again. Check whether or not a signature has been added, and whether your account has been set to forward e-mail to another address that isn't yours or to run a filter that automatically forwards e-mails or attaches a file. If any of those settings have been altered, delete the new settings.
Once you have changed the settings, create a new password, and add your secondary e-mail account as your alternative address.

Going forward, never list your main e-mail address publicly anywhere online -- in forums, in online ads, on blogs or any place where they can be harvested by spammers. Use only your "registration" address, and keep it separate from your main address book.

Don't use public computers to check e-mail; there's virtually no way to know if they are infected with malware accidentally, or have keylogging spyware installed intentionally. But if you absolutely must use e-mail on a public computer, set up an extra account before you leave and change the password regularly.