Helping people with computers... one answer at a time.
Once your Windows Live Hotmail account, or contact list, has been hacked or compromised, there are several steps to clean up after you get it back.
My husband's Hotmail contact list has been hacked and a phishing paragraph was sent to them. Now it appears whenever he tries to forward an email. How do we get rid of it?
•
It's unusual that only the contacts would have been hacked into, and it's more likely your entire Windows Live Hotmail account has been compromised.
Frankly, I'm surprised you still have access.
But, given that you do, there are several steps you should take immediately, to recover from the damage that's been caused. One of those steps should take care of the phishing paragraph that's showing up.
•
I'm going to assume you're using Windows Live Hotmail's web-based interface. In fact, many of the steps we'll take will need to be taken there.
The very first thing you should do is very simple: Change Your Password. This is so important, I'd go so far as to say do it now; before even reading the rest of this article. It's the first step to slowing down (though perhaps not preventing) the hacker from continuing to access your compromised account.
There are now several things you must change to regain total control of your account.
Start by clicking on the Options item in the far right of the Windows Live Hotmail display:
In the drop down menu that appears, click on More options.
On the resulting "Manage Your Account" page, click on View and edit your personal information. That will take you to a page much like this:
The short version is that while your hacker had access to your account, they had access to everything here. If they didn't change it, they likely could have seen important information that you might care about.
Change it.
For everything that makes sense, change it.
-
Change your password: as I mentioned above, to prevent the hacker from accessing your account.
-
Change your security question: to prevent the hacker from having changed it and using it for a password reset after you change your password.
-
Change your alternate e-mail address: to prevent the hacker from requesting a password reset to an account that he may have changed this to.
-
Change your mobile PIN, or remove your mobile number completely.
-
In billing options, consider removing or changing the payment method listed, and be sure to keep an eye on that credit card's statements in the future.
Also review the Additional options at the bottom of this page, making sure that the hacker didn't change permissions, marketing preferences, or anything else relating to your account.
That's the high priority stuff, but there are still plenty of things that need to be looked at.
Return to the "Manage Your Account" page. You'll want to double check almost every option listed on this page, as the hacker may have altered it while he had control of your account.
In particular, I'm guessing that you want to take a look at the "Personal e-mail signature" settings.
As the text of the feature states, the text in your signature is "added to the bottom of each e-mail message you send". I'm guessing that your hacker added his own personal message here, and that it's being automatically added to every message you send. Remove it.
In reality, if your hacker has been thorough there's a lot of damage they can do, and it can be a lot of work to re-construct your account. Remember that your Hotmail account is really your account for all Windows Live services, including Messenger, Spaces, Groups and who knows what else. While they had access to your account, they had access to all of that. And that means that they had access to any and all options relating to those other services in addition to Windows Live Hotmail.
It simply goes to underscore the importance of keeping your account safe, choosing a strong password, keeping it secure, and in general keeping your computer safe on the internet.
Prevention is so much easier than trying to clean up the mess after a problem.
Article C3734 - May 17, 2009 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
May 9, 2012 5:44 AM
My account has also been compromised. Details:
25Apr2012: WinLiveEssentials updated to 15.4.3555.0308. WLM client Version 2011 (Build 15.4.3555.0308).
01May: Received mail from my own address, sent to my address plus 2 contacts. This item was in INBOX and in SENT ITEMS. Unlike my legitimate sent mail, the item's FROM field is empty.
09May: Received another mail from my address, to my address and same 2 contacts, plus one non-contact address that I emailed on 03May. This item was in INBOX only, not SENT ITEMS.
Each item's content was a link; the 2 links were similar but different domains - both contained ".../blog/wpcontent/themes/.../likeit.htm?..."; both links' text appeared to match the target address.
I changed my account password after the 09May incident; I could not find any indication that anything had been altered. I have also deleted all contacts. None of my other WLM accounts has been affected AFAIK.
As was mentioned in the thread, it seems unlikely that someone with malicious intent would send out emails to advertise his activities.
FWIW I've used WLM since 2009 without apparent incident. The timing raises suspicion that the 25Apr WLE update could be a factor.
Anyone else with similar experience?
Thanks,
CC
09-May-2012
May 10, 2012 7:11 AM
Leo, thanks for the fast reply to my 09May post. I've done a bit more digging since I posted and I don't believe the items were sent from inside my account. As I said, the 2nd item doesn't appear in my outbox - I suppose a hacker could have deleted it - but the first item has different property details than my legitimate outgoing mails. They all start with FROM:..., TO:..., SUBJECT:..., DATE:... etc. Above those fields in the bogus message I see MESSAGE-ID:..., CONTENT-TYPE:..., X-ORIGINATING-IP:... and then FROM, TO etc.
To me this strongly suggests "spoofing" rather than hacking?
Of course that leaves the question of the additional recipients. I now realize that the 2 TO addresses in the first email were the only 2 adresses I've mailed from that account since 03Mar2012. The 2nd email added the one additional address I emailed on 03May. IOW, the targets seem more likely to be derived solely from my outgoing mail rather than my contacts list, although I have no idea how that could happen.
Sorry if I've gone a bit off-topic here - I thought the additional details might be of interest to others...
CC
July 4, 2012 12:02 PM
My account must have been hacked - everyone in my contact list received a spam email from me. Now my account is locked and a strange email address is listed in the drop down "how do you want to receive your code", how do I get my account back?
06-Jul-2012
July 4, 2012 8:17 PM
@Lynn,
Read this article... it will help:
Email hacked? 7 things you need to do now.
August 4, 2012 10:39 AM
Your live.com email account was simply hacked, and yes this is happening a lot. Changing your password and all password recovery information is the right thing to do.