Ramblings of a Tampa engineer

So I've come across another email case. A friend of mine got their email password stolen for their Yahoo account. Within minutes their Gmail account was also compromised and the password on both accounts were changed. Hope seemed lost, and this post details the outline of my procedure to regain possession of both accounts.

Step 1 - The damage

  • At this point you've noticed the damage. Your email account has sent some SPAM email to all your email addresses. This is a bad, but not currently a thing to worry about. Regaining security of the account is the utmost key.
Step 2 - Setting boundaries
  • You need to restore password protection. There are various ways to recover a password relating to
    • Recovery Method (via alternative email)
    • Security Questions
    • Phone Reset
  • All these methods can also be used against you. So before changing the password of your account make sure the recovery email doesn't point to a compromised email and that it is set to an email account you recognize.
  • Security Questions are nasty little buggers, because sometimes you can change them. So the hacker could modify them. Always check that you know your security questions, and if in doubt re-make them.
  • Some email services (Gmail) offer 2-way authentication. This requires all log ins on new computers to be verified by a ID sent to the phone number on file. This is a 2 step authentication and proves to nullify all attacks, as the attacker needs to know the Security Questions in order to bypass this step.
Step 3 - Reset the pass
  • After following Step 2, the best part is to change the compromised password to a new unused password. The instant you change this your attacker will try and get back into your account, and if you didn't follow Step 2 they might be able to regain entry.
Step 4 - The cleanup
  • Things to check
    • Forward email? Are your emails being forwarded elsewhere?
    • Reply-To. Is the Reply-To field changed to some email that isn't yours? Clever technique used by hackers.
    • Signature modification. Did the attacker modify your signature to reflect something you don't support.
    • Sent mail. Always check the Sent Mail. Most hackers will purge this folder, but those who don't will leave a nice trail to follow.
    • Credit Card, etc. Call all your important companies. Ask if any of your information / plans were changed in the past 72 hours. 
Step 5 - Prevention
  • Separate passwords for different main accounts. (One pass for social networking sites, one pass for bank site, one pass for game sites, etc)
  • Updated virus protection for computer.
  • Common sense to prevent falling for classic spoof / spam emails.
You’ve successfully subscribed to Connor Tumbleson
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.