Having your account hacked is nothing new, but a few of my friends have experienced this particular frustration lately, so I wanted to write a quick guide on how to deal with it, and also how to avoid it happening in the future.
Some of what I’m writing about comes directly from the experience the good folks at Gizmodo had just a couple of weeks ago. Let’s face it: if the people at a technology blog can get hacked, it’s a cinch that you can too. The only thing you have going for them that they don’t is that you are relatively anonymous.
Before I start, a reality check: If someone is trying to hack YOU – not just anybody they can get their hands on, but you specifically – then you are going to get hacked. They have infinite time and resources to do it, and odds are you won’t know they even had you on their radar until it’s over.
With that said, unless you are in politics or work for Gizmodo, you should be safe.
First: What you should have done already – back up.
Do you have a copy of your contact list? How about your email repository?
If you don’t, you are being reckless, hacked or not.
Backing up email is outside the scope of THIS post (but it’s a good idea for another one down the road). Let’s just say for the moment that you have everything backed up.
Are you SURE you got hacked? It’s easy enough for someone to make emails LOOK like they came from you, so be certain. The best acid test is for you to back up all your contacts and email, and then clean EVERYTHING out – everything in your sent items, your folders, your contacts, ALL of it. You have it all backed up, right? So it’s no big deal. Well, not as big a deal as being hacked, at least.
Now, change your password. Make it something weird – include letters, numbers, uppercase, etc.
Now wait a day or two. If people are still getting strange messages from you, you have probably NOT been hacked. Someone is just spoofing your email address. There’s not much you can do about that unfortunately.
If the emails stop though, it’s a good sign you’ve been hacked. The good news is that the bad guy no longer has access to your email. The bad news is that he did, along with everything in it. You don’t want that to happen ever again.
Next: damage control
Assess whether you really need to keep your current (hacked) email account, or if you can switch. If you are using AOL, Hotmail, Yahoo, SBCGlobal, or any one of a host of other smaller email providers, I’d say it’s time to switch.
Why? I want Yahoo to make a comeback as much as the next guy, but the reality is that they are having trouble, and the security of their FREE email service is not likely to get a lot of attention right now. Ditto a lot of the small fries. Time to jump ship.
If you aren’t ready to switch, you can still follow most of the instructions below.
Set up your new home
Get a Google Mail account. It’s quick and simple (http://mail.googl.com)
While you are at it, pick a fairly difficult password. “Difficult” does not mean “hard to remember” or “impossible to type”. It means “hard for a person or hacking program to guess”.
Here’s a hint: use a phrase instead of a word. Use the underscore ( _ ) instead of spaces, but otherwise, pick something you can remember, but is more than one word. “Ring_around_the_rosey”. Add punctuation (“Stupid_mean_people_suck!”) and the password became even harder. Why? I leave it to the awesome creator of XKCD to explain (http://xkcd.com/936/):
Once it’s created, set up two-step authentication. Why? Because it guarentees nobody can ever use your email unless they are pretty much sitting in your house.
It works like this: When you sign into your email on a new machine, you will get a text message on your phone (or a phone call, if you prefer). The message will just be a number. You enter the number onto the login screen, proving you are “you”.
While it sounds like a hassle, it’s actually no big deal once you set it up. And let’s be clear: Someone who tries to hack your email is INSTANTLY foiled. They can’t log in without that magic number, which is being sent to YOUR phone. So you know someone is screwing with your account and at the same time, they can’t get in.
If you are on Gmail, you set it up by going to your account page (https://www.google.com/settings/account), clicking on Security, and changing the “2-step security” settings you find there.
Finally, ease the transition
Back on your old email account (you changed the password there, too, right? How about checking to see if IT supports 2-stage authentication? Just to really make it hard for the guy who originally hacked your account.) set up email forwarding to your new account. That way you don’t miss a message as people get used to your new address.
And another thing
Changing your email is an important step, but it’s not the only one. You probably have a lot of “things” that use your email for verification – Facebook, Twitter, Pinterest, bank accounts, etc. Make sure you change those too.
While you are on those systems, change your password (again, consider using a “pass phrase” instead); and check out their security settings to see if you can ratchet them up a notch.
All that happened this time was your email got compromised. But you don’t know if that was part of a larger effort to dig into your electronic life.
Trust me, there are worse things than losing all your email contacts.