Summary: Changing your password is a common response to security breaches. Unfortunately, it may not be enough to recover.
I regularly hear from people who've had their email or other online account compromised, who somehow are able to recover access to it and change their password, only to have the account stolen almost immediately again.
The problem is actually quite simple, though the solution is a bit of work.
First, you have to realize that while someone else has access to your account they have access to everything related to that account.
Second, you have to realize that because of that, changing your password just isn't enough.
•
You authenticate with most online systems by providing a user name and a password. Your username might well be publicly visible, but your password should be known only to you.
Most systems also provide a mechanism whereby you can recover or reset your password should you forget it. They use a variety of means, but they all boil down to the same thing: they use one or more additional pieces of information to validate that you are who you say you are, and then reset or reissue your password.
It's those "additional pieces of information" that present the greatest risk once your account has been compromised.
Let's look at some examples of what I mean, why they're a risk, and what you should do about each in addition to changing your password.
-
Email address or alternate email address.
Many if not most online accounts require your email address. In the case of an email account (like Hotmail, Gmail or the link) there's often an "alternate" email address. Systems often provide the ability to send a password reset message to that email address of record should you lose your password. Since only you could have set it up, by definition that email address should be yours.
Once your account has been compromised, a smart hacker will immediately go in and change that email address to one that he has access to. That way, if you request a password reset, he'll get it, not you. Similarly, if you change the password, all the hacker has to do is request a password reset, and he'll regain access to the account.
What you should do: once you've regained access to your account, immediately verify that all email addresses associated with that account are yours. If they aren't change them right away.
-
"Secret" questions and their answers
Many systems have you set up answers to questions as a second layer of security should you lose your password. The answers are typically to questions that only you should know such as your mother's maiden name, your first pet or your favorite teacher. If you forget your password, many systems then simply ask you one or more of these questions, If your answer matches what you set up originally, then you must be who you say you are, and you'll get your password reset and/or account access.
I put "secret" in quotes because this is one of the problems with the technique: quite often the answers aren't secret at all. It's recently been shown that even a little browsing on social media sites of which you happen to be a member can often tell potential hackers a great deal about you, including many of the answers to these so-called secret questions.
Once a hacker has access to your account, it's not uncommon for the answers to your secret questions be visible to him. If he's smart - and some are - one of the first things he'd do is jot down the answers to all your secret questions, or change them to his own. That way, should you regain access to the account and change the password, he can just invoke the password recovery mechanism and regain access himself.
What you should do: once you've regained access to a hacked account, change all your secret answers immediately. Even if they've been untouched, the attacker could simply have written them down and know them all. Change them to something new - ideally answers that are completely unrelated to the questions, but that you'll be able to remember in the future.
-
Mobile/Cellular information
Some providers allow you to specify your mobile number as part of your account information, and then can SMS or otherwise contact you via that information to perform password resets and more.
By now you probably realize that once a hacker has access to your account they can change that number to be their own. Any mobile-based account recovery attempts are now redirected to the hacker.
What you should do: as soon as you get back into your hacked account, change or remove this information.
-
Billing information
It's rare, but some systems will use billing information, such as a credit card number already on file, or your billing address in account recovery and validation attempts.
If you have this kind of information on file, a) a hacker can start using it, potentially racking up charges that you may, or may not be liable for, and b) a hacker can change it so that if it's used for account recovery purposes it's the hacker that that'll regain access and not you.
What you should do: change or remove this information as soon as you get your account back, and check with your credit card provider immediately for any improper charges.
By now you should see a distinct pattern: any and all information that can be used to recover your account should be validated, removed or changed the instant you get your account back. That includes personal information, PINs, secret questions and and answers, alternate email addresses and more - anything that the system you're dealing with might use for account validation and recovery.
If you don't, and the individual that hacked your account has even half a clue, it's very possible that you could recover your account only to find it hacked again within hours or even minutes.
Related:
-
Would you please recover my password? My account has been hacked or I've forgotten it. I'm asked daily to reset lost passwords, recover hacked email accounts or retrieve lost information in them. Here's my answer.
-
Someone has stolen my email account. What can I do to get it back? The outlook is grim if your email account has been stolen, but there are a couple things that you can try to do to recover it.
-
What's a good password? Good passwords are hard to crack and hard to remember. As a result, many people don't use really good passwords, even though they should. We'll look at what makes a good password, and some ways to make them easier to remember.
Article C3913 - November 6, 2009
The 2nd email address could be used to break the hacker's stranglehold on the primary account if the primary mail provider were to automatically refer to the 2nd mail address all changes made to password and proposed changes to 2nd mail addess - i.e. effectively pass master control of the primary account to the 2nd account. Do I get a prize for that idea?!!
Posted by: Digby Lowe at November 11, 2009 1:43 AMA bigger problem is that the major webmail players have password recovery mechanisms that do not even rely of 'secret' questions, but rather a recollection or best guess of how you have used the service.
For example, GMail's Password Recovery page starts with, "If you've already tried to reset your password and you're still unable to access your Google Account, fill out the form below. Please answer each question as thoroughly and accurately as possible; the strength of your answers will determine if we can return your account. If you're not certain about some of the dates, provide your closest estimate."
The problem here is that a hacker gets to offer an alternate 'alternative' email address and answer a few questions about what other Google services the user might have used (along with estimates of dates) . . . and a few other tidbits that are not super difficult to work out. If the mix seems probable to Google they sent a reset email to the proferred alternate email address.
In other words, if a hacker can work out what other Google services this user has and the approximate creation dates, he or she had a pretty good chance of taking control of the account.
Posted by: Rick at November 11, 2009 8:26 AMWhile I have had no difficulties in this area (knock on wood), I remain concerned. I check credit card charges at least twice a month and my credit card and debit card likewise, so I think I'm on top of this problem. Incidentally, my ISP has withheld emails because they are questionable and appear to be complete strangers to me.
Posted by: Evan B Merz at December 15, 2009 7:25 PMI believe that my computer has been compromised to a degree. Several months ago,I don`t even remember when, I checked to see if I was the only name logged into my computer. To my amazement I was NOT the only person logged in. I kinda freaked and shut my computer down without writing down the "other" name.I have checked back often but found no one else logged in; this might be due to the fact that I have gotten a router.Just a couple of weeks ago I was going to log into my yahoo email account but I saw my computer password already typed into the space provided. I still get those stew-pid nigerian scams about money but, I always just delete them. I believe the unsolicitated emails of offers to view womens` private photos and chat sessions with unknown women,supposedly are nothing but hacking or spoofing scams. My yahoo email account hasn`t been hacked but I have suspicions that my computer is watched by parties unknown.
Posted by: Ron Inabinet at January 6, 2010 3:50 AMIn regard to 'secret' questions; if you have a set question there are limited 'truthful' answers. Try using one or two universal answers for all secret questions on all your web-based security. Like, Mothers maiden name? Venus, or blue whale, or Mitsubishi, or River Phoenix, and First pet you had? River Phoenix, Mitsubishi... etc.
Posted by: craig at February 2, 2010 1:54 PMThis makes guessing the answers nearly impossible and we've now made the answers endless, rather than the limited truthfull stock - AND it makes ur answers easy to remember IF you stick to the same ones all the time.
FYI - Some profile setting areas in some web sites will show you your 'secret answers' which make the secret viod if you account is hacked.