SEARCH

How-To Geek

How To Recover After Your Email Password Is Compromised

passwordbreach

Your friends are reporting spam and pleas for money originating from your email account and some of your logins aren’t working; you’ve been compromised. Read on to see what to do right now and how to protect yourself in the future.

A compromised password is serious business. A security breach at a minor service you use can jeopardize your more serious accounts if you use weak passwords (or even the same one) across all of them and a security breach at a core service like your email account means it is time to batten the hatches and get your passwords under control.

This guide is full of useful tips for anyone who has to deal with the fall out of leaked password but we’ll be focusing specifically on dealing with the mother of all compromises: a compromised email account. Once someone has control of your email account they can easily gain control of the dozens of other services you use as, for better or worse, email functions as a major key-to-the-castle and qualifying identifier.

Secure Your Email Account

2011-06-14_142706

The absolute first thing you need to do at even the slightest hint that something is amiss is to lock down your account. The second your friend calls you and says “I just got an email from you claiming you’re in London and need me to wire you money” you need to get on your computer and get to work.

Resetting/recovering your password. You may need to reset or recover your password. The process varies from email service to email service but we’ve gathered up the reset links for three popular email services here to help speed the process along if you’ve found this article via a panicked Google search. You can find the forms for Gmail, Hotmail, and Yahoo! Mail here. All three of the aforementioned services have an option for you to specify not just that you forgot your password but that you believe your account has been compromised.

Change your password to something completely different than your previous password. Make it a combination of alphanumeric characters and if need be temporarily write it down. The important thing is that you secure your email immediately with a strong password. While you are still logged into your email account complete the following steps.

Enable two-factor authentication. Although your email service may not offer this feature, if it does turn it on. You likely won’t keep it on forever (two-factor verification is kind of a hassle) but while you’re in lock-down mode and attempting to get everything under control it’s nice to know that someone would need to, for example, have access to your mobile phone and your password in order to gain access to your email account. You can read about two-factor authentication for Gmail here.

Go through your email settings with a fine tooth comb. In addition to changing your password and setting up two-factor authentication you need to go through the settings on your email account to make sure nothing is out of the ordinary. Here are several things you need to look at: check your recovery email and ensure that it is set to an email address you control, check your password hints and replace them with fresh questions only you know the answer to, check your email forwarding settings to ensure that however compromised your email hasn’t set it up so that all your future email will be forwarded to a 3rd party.

Regarding password hints: password recovery systems based on hints are notoriously easy to defeat as it isn’t particularly difficult to get basic information about a person like where they were born, what their cat’s name is, etc. (thank you frivolous Facebook quizzes). One easy way to radically increase the strength of hint questions is to make them about someone other than yourself. Answer the questions as though you are your father, a character in a comic book or novel you love, or any other third party that you have a significant degree of knowledge about.

Don’t neglect these three steps and make sure to look at all the settings on your email account to make sure there are no surprises tucked away!

Change Every Password Associated with Your Email Address

socialmediaicons

Email addresses function as the proverbial keys to the castle. If someone has access to your email account they also have access to nearly everything else you’ve ever used your email account for—your iTunes login, your Amazon.com account, your credit cards and banking institutions, social media accounts, discussion forums and so on. Now is the time to start changing passwords. We realize this isn’t fun and we realize it’s time consuming if you have lots and lots of accounts. The upside is that once you do it, you’ll have effectively inoculated yourself against this misery in the future.

Get a password manager. Not everyone uses a password manager and lots of people have their reasons for not doing so including “I’ve got a good memory”, “I don’t trust password managers”, “I’ve got some straight up KGB algorithm in my brain to generate new and awesome passwords”, etc. We’ve heard it all before. If you want to play the “I’ll memorize all my passwords” game, that’s fine. You simply won’t have as strong and varied passwords as someone who uses a password manager. Not using a password manager is like refusing to use a calculator and solving all math problems long hand; there’s no good reason to forgo using a calculator and there’s no good reason to stick to juggling passwords in your head when there are better alternatives.

Whether you use LastPass, KeePass, or another respectable password manager that integrates with your web browser (and thus decreases your resistance to using it), you’ll have a system that allows you to use extremely strong and unique passwords for each distinct login.

Search your email for registration reminders. It won’t be hard to remember your frequently used logins like Facebook and your bank but there are likely dozens of outlaying services that you may not even remember that you use your email to log into.

Use keyword searches like “welcome to”, “reset”, “recovery”, “verify”, “password”, “username”, “login”, “account” and combinations there of like “reset password” or “verify account”. Again, we know this is a hassle but once you’ve done this with a password manager at your side you have a master list of all your account and you’ll never have to this keyword hunt again.

Untitled-5

Use strong passwords. If you’re using a good password manager this won’t even be an issue. LastPass, for example, has a built in password generator. A click of a button is all that it takes to generate a password like “Myy0vNncg6dlYrbhVjo1”; add in another click and you can easily associate that extremely strong password with the account.

If you’re not using a password manager there are still some hard and fast rules you should live by when it comes to manually generating strong passwords:

  • Passwords should always be longer than the minimum the service allows for. If the service in question allows for 6-20 character passwords go for the longest password you can remember.
  • Do not use dictionary words as part of your password. Your password should never be so simple that a cursory scan with a dictionary file would reveal it. Never include your name, part of the login or email, or other easily identifiable items like your company name or street name. Also avoid using common keyboard combinations like “qwerty” or “asdf” as part of your password.
  • Use passphrases instead of passwords. If you’re not using a password manager to remember really random passwords (yes, we realize we’re really harping on the idea of using a password manager) then you can remember stronger passwords by turning them into passphrases. For your Amazon account, for example, you could create the easily remember passphrase “I love to read books” and then crunch that into a password like “!luv2ReadBkz”. It’s easy to remember and it’s fairly strong.

Practice Good Password Hygiene Going Forward

2011-06-14_144229

It’s really easy to slip back into bad habits once the shock of security breach has passed. Call it the dentist-effect: you floss and brush like mad before the dentist, you promise yourself you’ll floss and brush after the visit, and three weeks later you find yourself falling asleep on the couch watching Archer with a mouthful of gummy bears.

Staying on top of password management is important and when done correctly protects you from the agony of having to do all this password fixing again (or, worse, losing significant sums of money or becoming embroiled in a legal battle because of what was done with your compromised account). Here’s what you need to do going forward with your old and new accounts:

Always use a unique password for each service. Think of this policy like having fire suppression systems in every room of a building. If Lab 223 catches fire it doesn’t take the whole structure with it. If someone hacks a game site you visit they won’t also have access to your email (or any other logins associated with your email address).

Change your passwords. Don’t be resistant to changing your passwords. If you use your email a lot at public Wi-Fi spots, internet cafes, etc. then you need to change it frequently as you are using it in locations where it can be easily sniffed, key logged, or otherwise compromised. If you use a master password manager this process is less painless as you really only need to remember a strong password for the password manager and a strong password for your email (everything else can be managed by the password manager).

Do not store your passwords insecurely. However you store your passwords, do not store them insecurely. If you write them down on a notebook lock it in your firesafe. If you keep them in a password manager, use a very secure password for that manager. If you keep them on your computer in a text document then you must encrypt that text document and not simply leave it in your My Documents folder. Your password list, however it is stored, is the passport to your digital life.

Do not transmit passwords insecurely. This is a combination of the previous rule and the next rule. Do not email yourself a plain text file of your passwords. It’s the equivalent of writing your passwords on a postcard and mailing them. Anyone who touches the postcard in transit can easily read the passwords. Never email or instant message your passwords for any reason.

Do not share your password. As well as not sharing your password between services don’t share your passwords with other people. Your friends don’t need to know your passsword, your boss doesn’t need to know your password, no legitimate company employee from Google or Bank of America is ever going to call you up or email you and ask for your password. Your default stance on password sharing should always be “No.”


At this point, if you’ve followed along, you have a set of unique, strong, and well managed passwords. You have one final task. Pull up your contact list and send an email to all the people who you previously spammed with “Help, I’m stuck in London and have no money…” messages and email them a link to this article. There’s a good chance that, like you were, they’re one bad break away from a password nightmare.

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on if you'd like.

  • Published 06/14/11

Comments (22)

  1. NB

    This is very good article :)

    just yesterday, a friend of mine on facebook, sent me a message that he has my password,
    i didn’t believe him,
    but then he showed me all the characters, it was like WTF!
    I asked myself, How did he do that?
    so, i logged on to all my web accounts and change all my passwords..
    good thing is, he didn’t touch anything from the email account he knew.
    but for me, all the information are on that email, in inbox…
    I think i have to remove all the messages from email accounts…

  2. The Unspoken

    Your friend had your password….d

    Do you and your friend share Wifi? Do you store your passwords in your browser?

    The second question is a good security practice as long as your friends are not sneaking around your house and getting on your computer to see your passwords.

    If you share wifi, or your wifi is unsecure or even WEP, your friend could of easily gotten your password if he is even a little geeky.

    Good idea on changing all your passwords though.

    Want to really secure your home computer. Check this out (hopefully HTG is ok with this):
    Microsoft Security Baseline Analyzer – http://technet.microsoft.com/en-us/security/cc184924

    Nessus would be another analyzer for the more tech savvy :)

  3. PiRhAnAs

    Facebook is the best Way to protect your E-mail and other accounts you use..
    Since it’s really easy to recover a compromised Facebook account.. you can just use your facebook mail address and use it as a recovery address in your other E-mail accounts.. that way.. when you get stolen.. you can recover them easily.. I Have once lost all my accounts including my facebook.. and it was really hard to recover them all.. and now I have linked everything to my FB account.. and I’m not afraid of being stolen..

  4. dragonbite

    After I got my Google account compromized, I set up the 2-step verificaton with my cell phone.

    Now I have an “application password” specified for each of my computer systems (so if I can tell which password is used to mess up my account, I know which system is compromosed) and I have “Secure Login Helper” (Chrome) extension to automatically redirectsto SSL login pages if possible.

  5. Jeremy

    I’ve never taken the time to figure out if password managers are safe or not (though I suspect not). In the end, if I have all my passwords in an encrypted file on my computer (using generic encryption), I don’t really see the need anyway.

  6. snert

    I had several of my social network accounts ripped. My fault, I used the same password. Some idiot raised major hell until I jumped through burning hoops to get them back. The idiot pissed all over my friends. (And I can’t hunt the idiot down and beat the hell out of ‘em! Dammmit!)
    Now ALL my passwords are 16 characters long, each and every one different, and I use the Crylic alphabet. A bit of a hassle but secure, I hope.

  7. NELSON GILLIS

    I had my passwords stolen and it took me 3 weeks to straighten things out. I thought I had strong passwords now but I know I don’t. Thanks for helping me out.

  8. Sachin Kumar

    i use last pass software for password this is very good passwords manager and its free

  9. Rich

    While the article addresses the issue of someone gaining access to your email via discovery of the password, it doesn’t address the situation of someone merely using you email address to send out spam, albeit not from your email account. I would like to see an article about that.

  10. kn0w

    You might try answering those password hint questions with something that makes no sense to any one else “What city were you born in?” Ice Cream Sandwich (I wish I was born in an ice cream sandwich!)

  11. bobo

    It’s not about the password itself… thousands of ways they can get to know your passwords… its about after that is to recover your stolen account… a lot of people forgot their recovery information after they register an account.. that the most problem..

  12. Arun

    The problem doesnt end there. If there is a keylogger installed, however hard you try to replace the password with new one, it seems useless as the new password is also transmitted to the hacker. I think we should also add here to check whether there is a keylogger installed on your computer and then the rest of the process as mentioned above.

  13. kzinti1

    I’m thinking about buying a “Yubikey” to use with LastPass but I’m worried about losing this device.
    Are they worth the hassle and are they reliable. I’d really hate to be locked out if I lost the key or it somehow failed to work. Have any of you used these things before?

  14. jumper

    I followed the steps to get my yahoo account back but when i receive the password reset e-mail in my alternate account and change the password it still says incorrect username or password i have now given up on ever recovering that account and i no longer use yahoo. This all started when i logged into a yahoo chat room and someone told me they liked my yahoo username i guess they were just not creative enough to come up with a good username and decided to take mine :( .

  15. Ajwad

    i think its better to use firefox browser and sync them using “sync” utility that already build in with it.. you can sync password bookmark and etc…

  16. jim

    This article missed the major point. The most likely reason your friends are receiving email that looks like it is coming from you is because there is a SpamBot (Spam Robot) virus on your PC that is sending out the spam email from *your* PC whenever it is on and connected to the net. It is using your account because your account is logged into the PC.

    You need to *remove that virus from your PC*

    Even if you change your password, the virus can keep running.

  17. Dean

    How do you do that Jim? I get spam in my Junk box that purports to come from me. I’ve changed my password and run AVG and Malwarebytes but the rubbish still appears from time to time.

  18. Drmbu

    This article is very good. But I have a question on this which i think is not discussed yet. What about ‘logging into email or facebook through various applications or web site’. There are some programs and sites who asks for email/social network user & pass to query for friends or to post message. Are these programs trusted enough, if so how can we verify that? And does sharing login infos through these programs can compromise my accounts ? What you guys think ? Please reply..

  19. anton ho

    paswoord masuk facebook

  20. luis

    !hola¡ Me llamo Luis una pregunta?
    -Como puedo hacer una cosa del Playstation 3?
    -Es que quiero hacer una cosa de Playstation 3? quiero que como se pone al encender contraseña del Playstation?

  21. luis

    3

  22. sibel

    benim face calındı ve yenilemek istiyorum ama nasıl olcak bilmıyorum bana yardımcı olurmusunuz:?:(

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!