Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What is the security related information I need to change to secure an email account?

Question:

My friend has an iMac running 10.6.8 and lately I (and others) have been getting spam with his name on it that he didn’t send. You said in your article to change his password to Yahoo mail, but to also change his security-related information. I have no idea what that is. So what else besides his password should I tell him to change?

In this excerpt from Answercast #6, I look at the information that may be kept by your email provider for recovering your account and explore how to change it all to prevent the hacker from regaining access.

Become a Patron of Ask Leo! and go ad-free!

The importance of recovery information

There’s an article on this; it’s called “Is changing my password enough?” Basically, there are several things you want to be looking at.

The short answer is that you need to change any information that’s associated with that account that could be used to perform a password recovery.

What happens is:

  • The hacker comes in
  • Changes your password
  • Gets access to your account
  • You regain access to your account
  • Change your password back, or change it to something else.

So presumably, now, only you have access to your account. But while the hacker was in there, he could have been looking at all of this other information that would be used to perform a password reset. You know, the thing that happens when you say, “Oh, I forgot my password.” Different email services use different pieces of information to verify that you are who you say you are.

So when you say, “Hey, I forgot my password,” they ask you to supply (maybe) the answer to a couple of secret questions, or they send reset information to an alternate email address, or they send something to your phone.

The hacker had access to your information

The hacker could have seen all of that. He could have set all of that so that when you change your password (and regain access to your account), the moment the hacker notices this, all he has to do is say, “Hey, I forgot my password,” and the password reset might get sent to an alternate email address he set.

The password reset might now be secret questions that he has set the answers to; the reset might involve the telephone that he has changed to be his number instead of yours in the account information.

Time to change everything

So the kind of things that you want to be changing or verifying to make sure that they are still set to what you expect them to be are: your alternate email address (to which password reset information might be sent), your secret questions, and their answers.

If the answers are visible, change them. Change them now. Change them to something else or choose different secret questions. If they were visible to you, then the answers were visible to the hacker while he had access to your account. Any telephone, mobile, or cellular information (to which reset information might be either phoned or texted) should be verified. Billing information sometimes is used for this.

Make sure that billing information (your home address, your credit card numbers, that kind of thing) to the extent that they are visible, have not been changed and are still yours. So changing your password is most definitely not enough. Those are the kinds of things to be looking for.

If the email, the spam, that you’re receiving is definitely from his account, then he definitely needs to be looking at this.

There are definitely some other scenarios where spam can look like it came from somebody else where their account is not hacked; but if it’s you and your friends (that are all in his address book), chances are his email account was hacked for awhile and he needs to go in and change all of that information.

Next – Where are canceled or failed downloads stored?

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

1 thought on “What is the security related information I need to change to secure an email account?”

  1. I would add one thing: change the security answers even if they are not visible. Why? Because the hacker could have made note of what the questions were, but changed the hidden answers. So just because they’re the same questions doesn’t mean the answers haven’t been changed. And if they were changed, you wouldn’t even know it because the answers are hidden …

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.