Wrenched back a hacked email account: and lesson learnt

Email Gone
Email Gone

I always advised people to enter random text in response to lost password questions – and keep the password written somewhere safe so you never forget. This incident changed my view point. Read on…

This incident happened to a friend of mine a couple of days back. He woke up one morning to find himself unable to log on to his account. Yahoo! had temporarily locked down the account, and people on his address book had received an email showing him to be in trouble, without any money and seeking money. He was unable to contact some people, and inform them that he was fine: the email address book was also inaccessible.

I told him to be patient and wait for Yahoo to unlock the account. It was apparent that someone had brute forced his password and was seeking money. This is more difficult to do with Gmail because of their ‘captcha‘, however is possible with Yahoo. His password was a non-English word.

Around 12 hours later, the account was unlocked and we tried to reset the password. The hacker had added his one email ID as the alternate ID, but luckily Yahoo allowed us to the reset questions (we selected ‘my account is compromised’, and ‘I am unable to access any of the passwords’). Initially we felt that the hacker would have changed those as well and didn’t try to respond. However a moment later I noticed that Yahoo was showing ‘June 09’ as the last modified date of these questions: so the hacker had not changed them! With some trial and error, my friend was able to correctly respond to those questions and the account unlocked! I went back and removed the hacker’s alternate account: this was important, else the hacker could still unlock the account if this was left unchanged.

Lessons learnt? As below:

  • Use a strong password, having a mix of letters, numbers and special characters – this one was clearly brute forced which is the easiest way to hack an account other than by social engineering (which is tough if you don’t know the person whose account you are targeting). If you have a tough time coping with passwords, use password safe.
  • The reset questions: answer them randomly so that someone who knows you, and happens to be able to guess the real answers can’t hack your password. However, keep backup of those random responses in a computer file so that YOU are able to answer them if something goes wrong. For example, many people know where you went for honeymoon or your mother’s maiden name. So respond using ‘monkey typing’ and save a copy.
  • Use updated alternate email IDs / set up to use mobile SMS as backup.
  • Maintain an offline backup of your address book. Most providers allow this
  • If you want you can go a step ahead and hide your real ID, as shown here – when submitting your email ID to unscrupulous websites and blogs/boards etc.

Licensing and information about the blog available here.