Helping people with computers... one answer at a time.

We'll use one person's situation as a lesson in what not to do, and turn that around into a some steps and advice to keep your account and stay safe.

Dear Mr. Mrs.

To home is my concern from couple months ago some one has my e mail address stolen and I dont know haw I can report for this till some one till me about this web Sid and my email address was ******@hotmail.com and my password is 123456 please give me an answer as soon as you can you can call me ###-###-####

Thank you
Email owner
(name redacted)

With the exception of the obviously removed information, this is a question exactly as I recently received it, sent to my personal email address.

Now, set aside the fact that this email is clearly written by a non-English speaker; that's very common, as the site is visited by people from all over the planet.

There are several very serious problems with this email that I want to make sure you never, ever duplicate.

Can you see them? One of them is absolutely frightening.

First, let me give the answer I gave to the questioner:

You can try the instructions on Windows Live Hotmail's What to do if you think your account has been stolen page.

Now, I'm not hopeful, and you'll see why in a moment, but it's worth a shot.

"What's wrong with this scenario? Let me count the ways."

What's wrong with this scenario? Let me count the ways.

  • I did not obfuscate the password above. This persons actual password was "123456". My first reaction? No wonder your account was stolen. This is absolutely frightening.

  • A couple of months? Perhaps within the first few days of a theft you stand a chance, but after weeks, or months my belief is that things are pretty hopeless.

  • She gave her password to a total stranger. Yes, that stranger was me, but she doesn't know me, and has no clue on how trustworthy I may or may not be. She contacted me using a different Hotmail account, but given her abysmal choice of password for the first account there's a very high likelihood that she kept using the same password for the new account, or one just as easy to crack.

  • She gave her phone number to a total stranger. Once again, me, but still it's clear that even after having her account stolen privacy and security lessons have not yet been made apparent. (And no, I'm not calling her - that's just not something I do.)

So, after all the fault finding I've just indulged in, what can you learn from this exercise? How can you stay secure?

Let's just turn each of my concerns around:

  • Use a strong password. Always. No excuses. Keep it safe, and share it with no one.

  • Act quickly if you suspect that your account has been compromised. Use the resources available to act on your situation as quickly as possible. Hotmail users have http://windowslivehelp.com/ specifically for Hotmail support and discussion.

  • Keep your private information private. Don't go throwing your phone number and most certainly not your password to just anyone in the hopes of getting help. There are too many people out there who will abuse your trust and cause you more trouble.

I honestly don't mean to make fun of or shame the person with the original problem - in fact, I responded to her well prior to posting this article, not expecting her ever to return to my site anyway. My hope is that by pointing out the deep flaws in her approach to passwords and privacy that some of you who might see even vague similarities with your own approach will rethink your situation, and take steps to keep yourself more secure.

Sadly, the other thing that's frightening about this scenario is simply how common it is.

Article C3687 - March 28, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

13 Comments
John
March 28, 2009 4:04 PM

The same thing happened to me for my Hotmail and Facebook accounts, since they had the same password. My original password was great. It contained upper case, lower case and numbers, but the person was able to change the password because she could answer the security questions when you have supposedly forgotten your password. Facebook supplied the birthdate (I have since deleted the year) and I have changed my identity question, which I had forgotten about completely. It used to be the name of my first dog, however, this person knew the answer. I am pretty sure I know her identity, but can't prove it. I calmly sent an email to my captured accounts and asked that a password I suggested be used and they be given back to me. The person complied and sent an email back to me. By getting it into Outlook and looking at the information in the header, I was able to determine where the server was.

I was rather upset at Microsoft, though. They were unwilling to give me more information on the activity of MY ACCOUNT and the location of the computer that was using it while it was stolen. If I am right that they could have zeroed in on it, I think that the laws need to be changed. Like your record at school, you should be able to see the information in your account - where you sign on.

I approached the person who I think stole my account, but she denies it. I have since changed my password, although it is no more secure than the first one, which was very secure, but I have changed my identity question on Hotmail.

By the way, this same person tried to change my password and hijack my account in Yahoo. Fortunately, their security question allowed greater flexibility, so it wasn't about my dog, but something I would only know and I had a different password, which also involved numbers, upper and lower case.

Lin
March 28, 2009 5:46 PM

To keep my email accounts secure, I answer the security questions with something that only I would know (because the answer makes absolutely no sense to the question).
For example:
Q: What is your favorite flower?
A: cat

This way, someone cannot guess a series of flowers and hit upon the right one.

Of course, you must make sure that YOU remember your wacky answer or you will be in trouble!

ron
March 28, 2009 5:54 PM

Yes, those common questions are a weak spot. I have a couple of very simple solutions for the problem:

1. don't pick a question that has a very limited answer set like colors or car makes.

2. When asked for personal information in online forms my first response is LIE LIKE A RUG!!!! Do not give true information unless absolutely necessary. ie give them a first name but last name "aaaa", address "000 anystreet ave", phone "000 000 0000" etc. Read this article for a scary view of personal information security:
http://www.schneier.com/blog/archives/2007/12/anonymity_and_t_2.html
In it he talks about techniques that can be used to "de-anonymize" anonymous information ie
(snip)
Using public anonymous data from the 1990 census, Latanya Sweeney found that 87 percent of the population in the United States, 216 million of 248 million, could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth. About half of the U.S. population is likely identifiable by gender, date of birth and the city, town or municipality in which the person resides. Expanding the geographic scope to an entire county reduces that to a still-significant 18 percent. "In general," the researchers wrote, "few characteristics are needed to uniquely identify a person."
(/snip)

So unless your personal info is truly required, like mailing info for an online purchase, there is no reason for you to enter correct info.

Sat
March 31, 2009 8:32 AM

I think the most important aspect is the password. Even if its about your favourite TV show, actor or sportperson always insert numbers, lower/upper csse combinations, and special characters(if allowed) into the password. Also don't just give the bare minimum number of characters. Give atleast 8-10 in the password.

The security question is your secondary defence, the password is the primary one so make your primary defence as strong as possible.

Bill Chubb
March 31, 2009 9:44 AM

I'm in the UK and recently we've been treated to one of your tremendous televised serials "Damages". Therein Patti Hughes offers the best advice to all of us. "Trust no-one". Sad, but true and something we need to remember when choosing passwords and security questions.

Alice
March 31, 2009 10:31 AM

This was an eye opener. Having been taught to always tell the truth I've always put in the true address or info required...now I'll do the "color"/"cat" thing with a different twist. I'm sure nobody knows my father's name but I'll be safer from now on and try to be more creative and instead of having it remembered, I'll keep a log of my stuff and keep it in a paper file.

Robert
March 31, 2009 12:58 PM

Good tips on security. The first reader comment also struck a chord. Social networking is all the rage now, but we must not forget the fatal pitfall of sharing loads of personal information with our "friends". Even my Yahoo profile asks for far more than I am willing to divulge. And, as if the social sites don't get personal enough, (too much) if you answer the endless stream of "20 Questions" e-mails, you're giving out most of the answers to most of the common security questions available. Let's stop the insanity and keep our Alma Mater, pets' names, favorite movies and boxers or briefs preferences to ourselves!

Dingermannnnn
March 31, 2009 1:20 PM

Hmmmm...I've never has any problem with my profile or email address being compromised.
However...this article has made me more aware
of the big picture. From here on I will be more carefull with my profile/personal information.
Thanks a bunch!!!!

Margaret Louk
March 31, 2009 4:10 PM

I would like to suggest having 1 or more email addresses from another provider. When I went to reinstall my ISP I forgot my password, and found that the one I wrote down was an older one. Fortunately I gave my provider an alternate email and was able to get the password, and change it. By the way I was discussing the Conficker with friends and was appalled to find out they did not update their windows, and she just made files and dumped unopened mail into them. Sigh.

Jeff
April 1, 2009 5:57 AM

To keep up with passwords, account information, etc, I suggest an application like Password Safe (passwordsafe.sourceforge.net). I can store Usernames, Passwords, and any other information about that site (challenge/response) in one place. I only have to remember 1 password to open the database, and then I have access to all my account information.

Good suggestion about 'flower/cat' - I'll start using that!

Jean Gonzales
April 3, 2009 6:12 PM

Love the "flower/cat suggestion. Whats the procedure on applying "Password Safe"? Now that is a very, very good idea, especially for me as I have trouble remembering what happened yesterday.

Jim
April 6, 2009 9:53 PM

I have found that a few sites will allow a space in the middle of your pasword. Combining this with my (German) grandparents last name, a space for a missing letter and close with a number.

mr & mrs
June 2, 2010 11:37 AM

my account was stolen. Whom ever did this, sent bogus emails to my contacts trying to scam money?I am worried about the information in my emails. Could these people use that information? I am able to report this to authorities? Who?


Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.