What Happens When My Email Gets Hacked?

So what exactly does it mean when my email is hacked?  You may think to yourself “oh, well I don’t really have any confidential information in my email so I doubt they can do much damage.” Wrong. So, so wrong.

Think of all the accounts that link to your email account— especially where “password resets” or “forgot my password” would link back to your email. Most people have bank sign-ins cell phone account, home cable/internet accounts linked back to the email. Streaming services, or keys to the kingdom: shopping sites like Amazon, etc.

Hacker gets into your email.. They search for keywords like “reset” or “password” or “bank” etc. and can see which accounts are linked back to your email. Too many times we hear “but they don’t know my username…” A quick search of databases on the Dark Web will reveal millions of user names that are easily obtainable— many of these don’t have passwords but they have user names.

So, let’s pretend I’m a hacker and I get your email account. I search and find out you reset your account password for your bank a few months ago. I fire-up a dark-web tool to search for a database of usernames for that bank linked to your email account… chances are, I’ll find it. I hit the bank’s website, type in username, click on “forgot password” and a helpful link to reset the password gets sent to your email account… an email account I now control. I can repeat that for shopping sites, credit card sites, etc. Over and over again.

Your email account is a nexus for resetting passwords and is a key identifier hackers use to find usernames to accounts like bank accounts, etc.

What I described above, by the way, takes about 5 minutes… Now imagine how much time it’s going to take you to reclaim these accounts and the financial damage it can do.

So what can you do?

  • If your bank, shopping, or cell phone accounts will let you, use your mobile phone for password resets, not your email.
  • Use long passwords wherever possible, around 20 characters if possible. It doesn’t need to be that hard for you to remember either, it can be a string of words or maybe a sentence with caps thrown in. It doesn’t matter to much as long as it’s not something that could be guessed since the password cracking algorithms hacker use aren’t looking for specific phrases, it’s running through possibilities. That mean longer passwords take longer to break.

Overall, the best thing you can do to protect your email in the case that it is hacked is set up two factor authentication beforehand. This will allow whatever service that is being contacted to confirm that it is actually you, and not someone trying to steal valuables or information, before they proceed with whatever the requested action may be. What would this look like? Imagine the scenario above again, where the email hacker has found your bank username and is planning to change your password. They will click on “forget password” so that an email will be sent to your inbox to change your password. The hacker goes through the steps, creates a new password, and selects “Done.” Once that happens, a SMS message will be sent to your phone with an access code in the message. This access code is needed to change the password, and the hacker cannot change your password without it. A message will pop up on the hackers screen telling him to put the code in. He can’t since he doesn’t have the code, and now you know something is wrong since you got the message. In the end the hacker looks like an idiot giving himself away and you look like a genius for setting up two factor authentication; a win-win.

Finally, remember your contacts are also valuable—do you really want to be the account that sends all your friends and family and professional contacts that malicious link which compromises their account(s)? Your email isn’t just a nexus to your financial world, it’s a trusted name/account to everyone you know.


*Credit KrebsOnSecurity for the graphic*