Summary: Changing your password is a common response to security breaches. Unfortunately, it may not be enough to recover.
I regularly hear from people who've had their email or other online account compromised, who somehow are able to recover access to it and change their password, only to have the account stolen almost immediately again.
The problem is actually quite simple, though the solution is a bit of work.
First, you have to realize that while someone else has access to your account they have access to everything related to that account.
Second, you have to realize that because of that, changing your password just isn't enough.
•
You authenticate with most online systems by providing a user name and a password. Your username might well be publicly visible, but your password should be known only to you.
Most systems also provide a mechanism whereby you can recover or reset your password should you forget it. They use a variety of means, but they all boil down to the same thing: they use one or more additional pieces of information to validate that you are who you say you are, and then reset or reissue your password.
It's those "additional pieces of information" that present the greatest risk once your account has been compromised.
Let's look at some examples of what I mean, why they're a risk, and what you should do about each in addition to changing your password.
-
Email address or alternate email address.
Many if not most online accounts require your email address. In the case of an email account (like Hotmail, Gmail or the link) there's often an "alternate" email address. Systems often provide the ability to send a password reset message to that email address of record should you lose your password. Since only you could have set it up, by definition that email address should be yours.
Once your account has been compromised, a smart hacker will immediately go in and change that email address to one that he has access to. That way, if you request a password reset, he'll get it, not you. Similarly, if you change the password, all the hacker has to do is request a password reset, and he'll regain access to the account.
What you should do: once you've regained access to your account, immediately verify that all email addresses associated with that account are yours. If they aren't change them right away.
-
"Secret" questions and their answers
Many systems have you set up answers to questions as a second layer of security should you lose your password. The answers are typically to questions that only you should know such as your mother's maiden name, your first pet or your favorite teacher. If you forget your password, many systems then simply ask you one or more of these questions, If your answer matches what you set up originally, then you must be who you say you are, and you'll get your password reset and/or account access.
I put "secret" in quotes because this is one of the problems with the technique: quite often the answers aren't secret at all. It's recently been shown that even a little browsing on social media sites of which you happen to be a member can often tell potential hackers a great deal about you, including many of the answers to these so-called secret questions.
Once a hacker has access to your account, it's not uncommon for the answers to your secret questions be visible to him. If he's smart - and some are - one of the first things he'd do is jot down the answers to all your secret questions, or change them to his own. That way, should you regain access to the account and change the password, he can just invoke the password recovery mechanism and regain access himself.
What you should do: once you've regained access to a hacked account, change all your secret answers immediately. Even if they've been untouched, the attacker could simply have written them down and know them all. Change them to something new - ideally answers that are completely unrelated to the questions, but that you'll be able to remember in the future.
-
Mobile/Cellular information
Some providers allow you to specify your mobile number as part of your account information, and then can SMS or otherwise contact you via that information to perform password resets and more.
By now you probably realize that once a hacker has access to your account they can change that number to be their own. Any mobile-based account recovery attempts are now redirected to the hacker.
What you should do: as soon as you get back into your hacked account, change or remove this information.
-
Billing information
It's rare, but some systems will use billing information, such as a credit card number already on file, or your billing address in account recovery and validation attempts.
If you have this kind of information on file, a) a hacker can start using it, potentially racking up charges that you may, or may not be liable for, and b) a hacker can change it so that if it's used for account recovery purposes it's the hacker that that'll regain access and not you.
What you should do: change or remove this information as soon as you get your account back, and check with your credit card provider immediately for any improper charges.
By now you should see a distinct pattern: any and all information that can be used to recover your account should be validated, removed or changed the instant you get your account back. That includes personal information, PINs, secret questions and and answers, alternate email addresses and more - anything that the system you're dealing with might use for account validation and recovery.
If you don't, and the individual that hacked your account has even half a clue, it's very possible that you could recover your account only to find it hacked again within hours or even minutes.
Related:
-
Would you please recover my password? My account has been hacked or I've forgotten it. I'm asked daily to reset lost passwords, recover hacked email accounts or retrieve lost information in them. Here's my answer.
-
Someone has stolen my email account. What can I do to get it back? The outlook is grim if your email account has been stolen, but there are a couple things that you can try to do to recover it.
-
What's a good password? Good passwords are hard to crack and hard to remember. As a result, many people don't use really good passwords, even though they should. We'll look at what makes a good password, and some ways to make them easier to remember.
Article C3913 - November 6, 2009
This may be the most valuable information regarding personal cyber security that I have ever seen. All the anti-virus programs and firewalls in the world will do little good if you're blabbing your "secret" information to the world via social networking sites.
This is precisely how Sarah Palin's e-mail account was hacked. A malicious individual, seeing publicly-available details about her, was successfully able to provide the correct answers to the security questions Mrs. Palin used for one of her e-mail accounts. Through this vulnerability, the hacker obtained access to the governor's personal e-mail.
Thank you, Leo, for such thorough coverage of this personal security problem.
Posted by: Tony M. at November 10, 2009 4:17 PMI fully agree with Tony M. Leo, you are 'right on' with your information.
Only one note, the good ISP's will tell you to close down the 'hacked' account and create a complete new one. New user name, password, secret questions, the whole nine yards.
Posted by: MmeMoxie at November 10, 2009 11:23 PMThe 2nd email address could be used to break the hacker's stranglehold on the primary account if the primary mail provider were to automatically refer to the 2nd mail address all changes made to password and proposed changes to 2nd mail addess - i.e. effectively pass master control of the primary account to the 2nd account. Do I get a prize for that idea?!!
Posted by: Digby Lowe at November 11, 2009 1:43 AMA bigger problem is that the major webmail players have password recovery mechanisms that do not even rely of 'secret' questions, but rather a recollection or best guess of how you have used the service.
For example, GMail's Password Recovery page starts with, "If you've already tried to reset your password and you're still unable to access your Google Account, fill out the form below. Please answer each question as thoroughly and accurately as possible; the strength of your answers will determine if we can return your account. If you're not certain about some of the dates, provide your closest estimate."
The problem here is that a hacker gets to offer an alternate 'alternative' email address and answer a few questions about what other Google services the user might have used (along with estimates of dates) . . . and a few other tidbits that are not super difficult to work out. If the mix seems probable to Google they sent a reset email to the proferred alternate email address.
In other words, if a hacker can work out what other Google services this user has and the approximate creation dates, he or she had a pretty good chance of taking control of the account.
Posted by: Rick at November 11, 2009 8:26 AM