Cleaning Up a Hacked E-mail Account

Many people use free e-mail account; in fact, you might say almost all of us do. Free e-mail accounts are easy to get and handy to have, but there has been a more consistent pattern as of late where e-mail accounts are being hacked. This is becoming very common, and I have been asked so many times what to do when an account is hacked, that I decided to write down my suggestions for getting things cleaned up.

Before I begin, let me just say that these instructions are not meant to be a final solution that is guaranteed to protect you against future attacks or anything else. These are just suggestions for things that will help improve the security of your account or will make it more likely that you’ve cleaned the attacker’s stuff out of your account.

1. Change your password to a new temporary password.
Your new password should be something at least 10 characters long (longer is better, though check how long your e-mail service will allow you to make it) and not containing any words. Don’t use a word and just change a letter into a number, like “Password” turning into “Pas5word”. The best thing to do is to use a random set of characters. Just typing on the keyboard will not create a random password. You’ll need to use a password generator to get something that is closer to true randomness. You can use something like the Secure Password Generator from Symantec to generate one. This is a temporary password, so it does not need to be easy to remember. We will be changing the password again later once everything has been cleaned out.

2. Change the password for anything else using the same password or using this e-mail address as the “Forgot My Password” e-mail.
If any of your other e-mail accounts, bank accounts, shopping accounts, Facebook, Twitter, etc. use the same password as your e-mail, you need to change them too. Also, if you use the hacked e-mail address in any of your other accounts, you’ll want to change the passwords for them too because the attacker could have used the “Forgot My Password” link to retrieve your password or reset it. You should not use the same password for multiple sites – make a different password for each place. If you go to log into one of your other accounts and your normal password does not work (so you can’t log in), notify the company to let them know that your account may have been compromised.

3. Check your e-mail account settings.
Check the settings in your e-mail account to make sure that no new alternate e-mail accounts have been added. Also, check to make sure that none of your information has been changed, for example:

  • Your password reminder questions
  • Your phone number
  • Your address or other personal contact information
  • Your vacation or “out of the office” auto-responder
  • Your filters or rules for sorting messages (sometimes attackers will set up a filter so incoming mail goes directly into the trash or another folder so you won’t see people responding back and saying that you’ve been hacked)

4. Check your sent messages.
Check your sent messages and see who the attackers contacted. Contact those people and let them know that the message they received was an attack, and they should not click on any links or attachments in them.

5. Make sure your software is up-to-date.
Check for updates to your browser, e-mail program, operating system, etc. Make sure everything is up-to-date so that you have all of the available security patches installed.

6. Install virus protection or update your virus protection.
If you do not have virus protection installed, install it now. You can get free virus protection from places like AVG Free. AVG also has a paid service as do places like Symantec (formerly Norton), etc. If you already have virus protection installed, open it and make sure it is up-to-date.

7. Run a full virus scan of your computer.
This may take a long time, so it’s best to run it overnight when you will not be using the computer for several hours.

8. Check with your e-mail provider.
Your e-mail provider may have a specific set of instructions or a checklist for you to follow to make sure your e-mail is clean and secure. Here are links to a couple of the most popular ones:

9. Consider adding a secondary check for logging into your account.
Many e-mail programs offer a secondary login verification. For instance, Yahoo will notify you via SMS when you log in from a different location than normal. Gmail will allow you to set up a two-step login process so that you have to enter a code that they text to you in order to log in.

10.  Change your password again.
Even though you changed it at the beginning of this process, we want to change it again now that everything has been cleaned out, safeguarded, updated, etc. Again, the password should be at least 10 characters long, and should not contain any words. Random is the best. (Same as Step 1.)