Someone has stolen my Windows Live / MSN Hotmail Account and is scamming my contacts. What can I do?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

last month my GMail and Hotmail accounts were stolen when I checked mail from my cousin's zombie / hacked PC. I was able to recover both the same day. I want to share what helped.

1. thanks to Leo's suggestions, I had been using Outlook and Thunderbird, so there was no loss of any important emails.

2. since I had my emails, I had accurate information to fill out the detailed account recovery form of Gmail. Plus, my data backup habit and memory helped in filling out some information.

3. Gmail is such a great service that in a few minutes (10-15 minutes) they verified all the information and emailed me a reset link. The Gmail was also the alternate account for my hotmail, so I recovered hotmail by sending a reset link to the alternate account.

4. My cousin used hotmail's recovery form, and they took several hours to send her the account reset email. I don't know whether hotmail took the time or she didn't provide enough information.

I recently had to help somwone in a similar situation. A man called me because it seemed that his daughter was sending messages to her contacts even when she wasn't online.

Her contacts where receiving messages about going to a certain site to see who was blocking you on MSN/Windows Live Messenger.

I beleive the site is whoblocksyou.com - they require you to sign in using your email and 'email password'. Apparently they then start signing in themselves (this person was geting knocked of messenger with a messge claiming that she alredy signed in on another computer)- and sending spam links to everybody on her contact list with links to the whoblockedyou site.

I told her how to go to Microsoft and change her password. The lesson - NEVER sign into any service that requires your email and your email account password.

Unfortunatlly, people do sometimes give personal info to the hackers and spammers.

http://www.geocities.com/terryhollett2003/

Also, this is one more reminder not to re-use passwords. Many sites make you log on using your e-mail address as your personal identifier-- they might "sweeten" the deal with additional content, promises of discounts (or free stuff), etc. If you then use your e-mail password as the site password, then the site owners can very easily hijack your account, just as is described above. MANY people do this, because they can't remember 8 bazillion passwords for every site they visit.

In addition to what Leo has on this site, I also recommend that you check out the Security Now podcast at www.grc.com/securitynow.htm for some great in-depth info about passwords (and lots more). GRC also offers a nice password generation utility to help you make them really random, and some thoughts on using a "hash" algorithm to vary a base password with site specific info so that you can work out a strong password specific for each site.

See BBC television last Saturday where the programme Click acquired control of 22,000 home computers as part of an investigation into hi-tech crime. You can see the programme at:

http://news.bbc.co.uk/1/hi/programmes/click_online/

Another way is to have an email that you can use for new stuff or sites that you are not confident about. Create a deliberate email that is easy to password change so that you can lay a trail also in the format of that email is to put a macro trace to enable you to get back at the scoundrals/crooks that enjoy creating misery.
I have successfully created a way for some of these people being caught, therefore trying to fight back and having the joy of seeing a few of them suffering justice.

All I can say is to quote my late mother, "You get what you pay for" and another quote, "there is no such a thing as a free lunch." In other words, the "free" e-mail accounts are to be avoided as they can be subject to hacking. The best way to avoid this is to subscribe to a pay-by-the-month e-mail service that has a regular customer service number where you can talk to a live human being.

Similar experience w/Yahoo when my email account was "hijacked" back in December 2008. Scammers sent bogus emails, ostensibly from me, to my Yahoo contact list (including the senior senator from my state, my state attorney generals consumer affairs division, and the FCC complaint email address). The typical sad, emergency, stranded in Paris, send $2,500 immediately ... etcetera.

I did all the things you suggest Leo (and a couple more) and provided a full and technically detailed report to Yahoo Abuse. Yahoo's response was the typical - and decidedly unhelpful - "canned" response all the services use.

My main concern was that this appeared to be an instance of either Yahoo being "hacked" or someone at Yahoo selling info on the spam/scam market (Hey ... it's been known to happen disturbingly often!).

In essense - I took care of it myself.

One additional suggestion to offer to others using the free and convenient "throw away" email services:

I have removed my "contact list/address book" from all of my free email accounts. It takes but a second and a couple clicks to cut & paste an email address from my regular email app into the free email "To" field. It's a bit less convenient ... but it does eliminate the hijackers having any access to your contact email lists.

I haven't had this happen to me (yet?), but the first thing I'd do is let my contacts (and my e-mail service) know what happened. I use my ISP's e-mail, PeoplePC DSL, and it's been ok up to now, but mainly I use two Gmail accounts (one for my PC repair business and one for just the usual stuff like newsletters, subscriptions, etc. So far Google's (Gmail) been very reliable and you have up to 7 GB of free storage on each account. My concern is if this is happening so often and with so many different e-mail services, is it possible that the root cause is virus and/or spyware related. Are they stealing these passwords, etc., from the e-mail services or using just getting them straight from the victims' computers using keyloggers, hacktools, etc. My point here is that the first line of defense may be your own computer's anti-virus and anti-spyware. A simple way of adding protection to your address book would be to add a digit to each address that only you know about and then can delete before you use it. Example: myfriendmike3@aol.com. The '3' would be removed before you use the address leaving the real address myfriendmike@aol.com. Only you would know this and the stored addresses would be completely useless to anyone else who accessed them.

I notice I've recently been getting emails saying "reset your Windows Live password" - and a link that actually looks pretty good. But since I've not requested a link to do so, I've not used it, since I regarded them as suspicious.

I'm guessing if people do get such a mail and then click the link their mail details are then captured and voila!

There is a solution if a hacker has hacked someone's Live Hotmail account. Go to about.com and check for Windows Live ID validation page. Fill in the details and when Microsoft compares the information given by you with the information in your account, they will certainly send a link to reset your password which is valid only for a day. So resetting the password has to be done faster without wasting time.

To post a comment on "Someone has stolen my Windows Live / MSN Hotmail Account and is scamming my contacts. What can I do?", please return to that article's main page.