A friend emailed a couple of weeks ago explaining that his email had been hacked and that he would like some advice to try to re-secure it and protect his account in the future. I sent him the email below, and he said he found it helpful, so I thought it might be useful to post it here:
Good Morning Dr.,
I’m sorry to hear about your email. If it is any consolation, odds are that your email account was only hijacked to send spam. This type of thing has become so common that everyone who received one of the emails probably immediately recognized it for what it was.
There are a few scenarios that can allow someone to gain unauthorized access to your account. The first is that someone who knows you or can find out about you used the lost password feature in gmail and answered your security questions. The remedy to this is to come up with more difficult answers by altering them in some way or answering with something unexpected. And try to make sure you don’t publish information about yourself online, including your personal email address.
Another possible scenario is called a brute force hack. In this case someone would basically run a dictionary file against your account, and if your password matched any of the passwords in the dictionary, he would gain entry. (By “dictionary” I don’t mean the kind you find in the reference section at the library.
These are files loaded with millions of passwords that have been hacked in the past.) Brute force hacking only works against passwords that are weak. So for instance, a dictionary could guess a password like password20. But odds are low that it would guess a password like pAssWoRd20.
The randomization of upper and lower case makes a surprisingly significant difference in the number of password variations that have to be tested to guess it correctly and increases the file size of the dictionary by an exponent. But if you use a password like 7u#4nB&FaR, no one is going to be able to brute force hack it. I realize that this makes it more difficult to remember, but I’m sure you get the idea. Even some memorable variation of this is a strong defense against a brute force hack.
There is also a chance that you were phished. In this case, someone would typically send you a fake email with some account alert in it. It would ask you to click through to resolve the issue and enter your username and password, but the site on which you would be entering this information is a ruse, and your username and password would then be captured and stored on their web server. They could then access your account as they pleased. In this case you would just need to change your password and be sure that you were cautious about this type of trick.
There are also cases in which large hacks succeed against websites or corporations. You may have heard that LinkedIn was hacked recently and their users’ passwords were accessed. In cases like this, you just have to try to find time to read the news and be cautious, and also use different passwords for all of your accounts.
Another means to gain unauthorized access is called a keylogger. This is a form of malware that resides on your system, capturing your keystrokes and transmitting them to an external server. Because keyloggers capture information as you type it, even encryption on the site you are contacting won’t protect your data. There are a couple of things you can do to avoid a scenario like this. The first is to make sure you are using quality security software, getting your windows updates, and running scans regularly. The other is to use your on-screen keyboard when entering sensitive information.
You can access the on-screen keyboard by clicking the start button or windows icon on the bottom left of your desktop, then click all programs, accessories, ease of access, and then on-screen keyboard. After you use it once it will be accessible by simply clicking the start or windows button.
If you would like to scan your computer to make sure nothing is left on it, we offer a free version of our software on our website at http://www.webvaccine.com/downloads. The trial version is at the bottom right, and the scanner is very effective.
Or if there is anything you would like me to look at or scan, just let me know. There is an app built into the website that allows you to share your screen with me which allows me to run scans and create logs. I can let you know what I find, and what I think the most likely scenario was that resulted in the breach.
I hope this was helpful.
And hopefully it goes without saying that you should change your password to something tricky and enter it the first time and every time with the on-screen keyboard for now.