So your e-mail was hacked
We live in a very digital world with constant contact in real-time through social media, SMS, and e-mail. Without a doubt, it's an exciting time! People share just about everything from pictures to videos and files.
Have you ever asked yourself what knows more about you than anything else?
Your e-mail perhaps? Think about what's in your e-mail, personal and work, and you might realize that if you've been using e-mail since it was brought to the masses there's a lot of information in it. If you've ever sent personally identifiable information (PII), like your DOB, or SSN, address, or a credit card number to someone via e-mail, its likely still there in your mailbox. In your Sent folder. Pictures. Personals things. A whole lot of things about you, enough to steal your identity.
Now ask yourself what you would do if you were locked out of your e-mail. Like it was hacked and the password changed.
For some if not most, that might trigger a panic attack. You're locked out of your personal e-mail and everything you need to get to. In a moment of hope, you remember that services like Gmail, Yahoo, Outlook.com, etc., offer a way to get back into your account in case just such a thing happens. You can get a code e-mail sent to a recovery e-mail account to get back into your account.
What happens if you're locked out of that e-mail account too, and you didn't setup multi-factor authentication?
Unless you can answer verification questions, you're pretty much out of options. You can't call Google or Microsoft or Yahoo and speak to a live person. Google will tell that you should open a new e-mail account. So you're thinking something like this can't possibly happen? Locked out of both e-mail accounts? Yes, it can. We dealt with this exact situation recently.
Jane Doe came to us as a referral. She found herself locked out of her Gmail account, and her recovery e-mail account which also happened to be with Gmail. Unfortunately she'd never setup advanced security options on either account, like MFA or saved offline recovery codes, and couldn't remember answers to any of the verification questions. To make things worse, all that had happened a month ago at which time she took her laptop to a local big box consumer electronics store. The in-house geeks summarily installed an antivirus product and cleaned things up, effectively wiping out any forensic evidence, and told her she was good to go. Except she was still locked out of all her e-mail accounts.
Cybersecurity is what we do but since we couldn't do any hacking forensics because of the big box's in-house geeks, we started by checking the forums, chat rooms, markets and identity theft trades in the dark web. It didn't take long at all for us to discover that the credentials to her recovery e-mail account had been compromised over a year ago. There it was in plain text. She confirmed that it was her password. But how did the threat actors get to her primary e-mail account?
Having gained access to her recovery account, they began the recovery process on her primary e-mail account. Hacker mentality is to cast as wide a net as possible when you get access to one thing. All they would've had to do is to look through the mailbox to identity other accounts that might be using it as a recovery. Google being Google, simply sent a recovery code to the recovery account that then allowed the threat actors to change the password to the primary and gain access. Once they were in, setting up MFA and securing the accounts would permanently lock out Jane Doe. That's exactly what they did.
There's more they could do though. Using your compromised e-mail accounts, they can send infected files to all your contacts in your e-mail urging them to "hey check this out and let me know." Your unsuspecting contacts open the attachment and possibly infect their unprotected computer, starting a chain reaction. Ultimately, something like this has the potential to impact hundreds and hundreds of people, their computers, personal information, and sensitive assets.
It's never a good day when we have to tell a client there's nothing much we can do except to give her advice on best practices to securing all her accounts, checking her credit card statements, and placing a freeze on her credit with all three agencies. Sure there are services in the dark web that will attempt to hack into an account for large sums of money, if you're willing to part with a month or two's salary, but with no guarantees. We can do the same thing but as ethical hackers we live by standards and professional ethics so we don't.
The lesson here is that all the major personal e-mail services provide security options for accounts, from multi-factor authentication to recovery accounts to downloadable recovery codes. Use them. The inconvenience is a tiny price to pay for securing the one place that knows almost everything about you.
And use good passphrases in lieu of passwords because they're much harder to crack than a jumbled password.
Once last thing: NEVER use the same passphrase on more than one account! Use a different passphrase for every account. Yes, it's an inconvenience, but is it worth the risk? Ask our Jane Doe.
Ask us for free advice on how to protect the confidentiality, the integrity, and availability of your data. As part of the global cybersecurity community, we take our responsibilities and calling seriously and happy to share our thoughts.
Oh, we also know the hack of Jane Doe's account was done by people in Vietnam. Like the Russians, they're not our friends.