20 replies to this topic

[Lose Remerswaal]

does that mean my e-mail account has been hacked?

I know when I got bouncebacks from random addresses, my account was spoofed, but spam was sent to everyone in my address book. I can apologize for that, of course, but should I be worried that someone was in my account and may have gotten account numbers, SS numbers, passwords, and the like?

I do keep many e-mails in the inbox (old and new), in an unread state, and none of them are showing that they've been read (sure, someone could take the time to change each one back to "unread", but that would be a shitload of effort.

I've already changed the password on the account, and I'm keeping a close eye on my credit cards and bank accounts.

I do use the e-mail password on many less important sites (message boards, password protected news sites, etc), so if the hacker actually knows my password, that could end up being a huge effort to change them all.

Or is it likely they just wanted to use my account to spam everyone?

[mt8thsw9th]

My guess is you had a really common password (or your password was phished somewhere), and a bot used it to send spam. It's good that you're checking your accounts, but you should be fine with a password change.

[glennhoffmania]

That's what I did and it didn't happen again.

[Lose Remerswaal]

My guess is you had a really common password (or your password was phished somewhere), and a bot used it to send spam. It's good that you're checking your accounts, but you should be fine with a password change.

it's a compound word -- 9 letters, two merged words that form a word not in a dictionary. All lowercase, no symbols, yadda yadda, been using it forever. Already changed.

[AlNipper49]

You have a keylogger on your computer somewhere.

[Dernells Casket n Flagon]

Do you use the password on other websites? Could have been hacked there.

Was the e-mail gmail? They keep track of recent IPs that have logged in, you may want to check if any look strange.

[Seven Costanza]

This happened to my parents yesterday actually. I immediately told them to change passwords to everything, but suggested that they do that on a computer different than the one we suspect is infected. What's the best way to get rid of a keylogger? Just run all sorts of anti-virus shit? I'm going to suggest that they never do any financial stuff on that computer again and use another one in the house from here on forward. Is that too extreme?

[mt8thsw9th]

Yeah, I would also check out something like Malwarebytes to check if there's anything malicious on your computer that is causing this to happen. 9 times out of 10 it can be fixed with a password change, but there still is a chance that what phished your password did so by logging all your keystrokes.

[AlNipper49]

Before malwarebytes I always run rkill and combofix

The order of and what to run is a deep religious debate with the guys at my work

[Dernells Casket n Flagon]

This happened to my parents yesterday actually. I immediately told them to change passwords to everything, but suggested that they do that on a computer different than the one we suspect is infected. What's the best way to get rid of a keylogger? Just run all sorts of anti-virus shit? I'm going to suggest that they never do any financial stuff on that computer again and use another one in the house from here on forward. Is that too extreme?

Best way is to re-install the OS.

[Lose Remerswaal]

Do you use the password on other websites? Could have been hacked there.

Was the e-mail gmail? They keep track of recent IPs that have logged in, you may want to check if any look strange.

Hotmail. Same password is used at quite a few websites.

Could be from either one of 2 home computers or work PC. So far no other accounts or websites appear to have been touched.

We have pretty good anti-virus on both our home sets, and at work, too.

Edited by Lose Remerswaal, 29 December 2011 - 04:22 PM.

[AlNipper49]

Lose, the spammers like to prey on the elderly. Sorry.

[EddieYost]

The order of and what to run is a deep religious debate with the guys at my work

Are you the boss? If so just tell them what order to run stuff. Problem solved.

[Lose Remerswaal]

Lose, the spammers like to prey on the elderly. Sorry.

LOL.

I never should have let my wife use my machine to go to Rue La La

[AlNipper49]

Are you the boss? If so just tell them what order to run stuff. Problem solved.

The problem with that equation is that I'm an idiot

[EddieYost]

The problem with that equation is that I'm an idiot

Well then give it to whichever of your minions sucks up the most.

[Kull]

Before malwarebytes I always run rkill and combofix

The order of and what to run is a deep religious debate with the guys at my work

Anybody that would run malwarebytes before rkill is a fucking heretic and should be burned at the stake.

[Gambler7]

Hotmail. Same password is used at quite a few websites.

This was likely the issue, had the same thing happen to me months back. They had hacked another website where I used the same login and password as my email. Since then I make sure I use a completely different password for my email addresses than I do for any other site (and also added the phone verification on gmail) and have not had an issue since.

[Sausage in Section 17]

So I am having the same thing happen with my Hotmail, but when I reset the PW and then try to link back to my inbox, I am getting warnings saying that the security certificate of the site I am trying to visit is not authentic or something like this.

Where do I go from here? If after resetting the PW, I am still feeling like somthings amiss, how can I contact Hotmail without feeling like anything I'm telling them (like my new or old PW's) isn't ending up in the hands (files) of the hackers?

[Blacken]

Passwords suck. They stink and they suck. But we're stuck with them for a number of reasons, for worse or worse.

The best way I've found to protect yourself is to use a password generator or something. I use mSecure (https://msevensoftware.com) and I see 1Password recommended a lot as well. mSecure runs on Windows, Mac, iOS, and Android, and is a pretty decent way to keep track of randomly generated passwords for every site/service you visit--it can also sync from device to device, either over your wireless network or via Dropbox (the password file is secured with symmetric encryption, the key to which is never stored anyway--it's the only password you have to remember). I thought it'd be a pain in the ass to use mSecure when I started, but it quickly became second nature to go to the mSecure app on my laptop or my phone and get the password before opening Bank of America or whoever. It's probably worth looking into if you're worried about one website getting compromised and opening up all your stuff--generally easier than remembering 1,000 passwords.

[czar]

Passwords suck. They stink and they suck. But we're stuck with them for a number of reasons, for worse or worse.

The best way I've found to protect yourself is to use a password generator or something. I use mSecure (https://msevensoftware.com) and I see 1Password recommended a lot as well. mSecure runs on Windows, Mac, iOS, and Android, and is a pretty decent way to keep track of randomly generated passwords for every site/service you visit--it can also sync from device to device, either over your wireless network or via Dropbox (the password file is secured with symmetric encryption, the key to which is never stored anyway--it's the only password you have to remember). I thought it'd be a pain in the ass to use mSecure when I started, but it quickly became second nature to go to the mSecure app on my laptop or my phone and get the password before opening Bank of America or whoever. It's probably worth looking into if you're worried about one website getting compromised and opening up all your stuff--generally easier than remembering 1,000 passwords.

I recommend this route as well if you are comfortable with it. So you'd have another alternative, I use KeePass-- it also generally performs the same tasks Blacken outlines here (in addition to the two mentioned). 1Password used to be Mac-only, but I see they've diversified to iOS and Windows in the last year or so.

EDIT: The other nice thing is that even though you are using one password, you can still be protected a couple different ways (I sometimes get asked "but now you only have ONE password protecting everything). I sync it between my computers/phone via Dropbox and use a "key" file to open the database which is stored locally on each individual machine. If people are in possession of my laptop, they'd have to get through the password to the computer and then find the key file and then get the password to the database right. If they remotely look for it, they have to crack into Dropbox, then the database password, but then figure out a way to get around the file key requirements.

Software like that mentioned above also makes it tremendously easy to change passwords for financial institutions, etc. every few months as well, in the event someone picks up an individual password (via keylogger, etc.)

Edited by czar, 03 January 2012 - 08:55 AM.