How my Email Account got Hacked
How my Email Account got Hacked
First and foremost, I would like to deeply apologize to everyone who has received weird emails seemingly from my old email address [email protected].
At the end of February this year a digital nightmare happened to me: my email account got hacked. This blog post is an open letter of apology to all people affected by this incident. I will describe what happend, what you can do to prevent such things from happening and why people still receive spam emails seemingly from my email address.
How it Went Down
I have an old email address which I have not been using for 5+ years at a large German email provider (GMX) and suddenly I received an email from my old email address! That seemed quite suspicious and shortly thereafter I received a bunch of “Mail Delivery Failure” emails from other mail servers. I rushed to the email provider and immediately changed the login password of my email address. Then I tried to find a list of logged-in devices similar to how Google lists recent account activity, but unfortunately that feature did/does not exist. Rather unhappy, I at least found a button with which I could close all open sessions (at least thats what it said). I pushed that button and thought I was safe now.
How the hackers got into my account
I started to check to whom emails were sent, but the sent folder did not contain any emails. The only hints I got were addresses listed in the “Mail Delivery Failed” emails I received from other mail servers. I checked my computer for viruses, but there were none, and if there had been then probably my current email address would have rather been hacked than the old, unused one. As I did not find any security issues of GMX in the news, the only plausible explanation was that I must have reused the email account password on some website I signed up years ago and that site got hacked. Shame on me that I did not change the password!
What’s Still Happening
It seemed strange that the “Mail Delivery Failed” emails continued to arrive in my inbox. After a couple of hours they stopped and I did not notice any futher suspicious activity within the next two weeks. But then, every other week I started to receive a whole bunch of “Mail Delivery Failed” emails yet again. I noticed that the emails were sent to people I had contacted with my old email address years ago and to other random email addresses.
The hackers do not send from my email account
I logged in to the mail provider and could confirm that the last login was by me. So the hackers were indeed not sending from my email account. I went to my inbox and checked the mail headers of one of the spam messages addressed to one of my other email addresses:
// ...
X-Original-Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning [email protected]
does not designate 199.7.108.9 as permitted sender) [email protected]
// ...
Received: from web176.dnchosting.com (web176.dnchosting.com [199.7.108.176])
by mx4.dnchosting.com (Postfix) with ESMTP id BF52723316;
Tue, 7 Jun 2016 06:59:51 -0500 (CDT)
Received: from [187.19.174.240] (port=57044 helo=gfot.com)
by web176.dnchosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.87)
(envelope-from <[email protected]>)
id 1bAFfi-003QEH-KG; Tue, 07 Jun 2016 06:59:51 -0500
// ...
Obviously, the sending mail server is not operated by GMX, the Sender Policy Framework (SPF) notices that, but still delivers the message to the inbox (or to the spam folder). So just to be clear: there is a person pretending to send emails from email address, there is SPF in place to detect that, but the email still gets delivered. How easy we have made it for spammers. There are actually historic reasons for this, but obviously this does not feel right, does it?
The hackers also faked the sender name. They scanned all my emails.
To make things worse, the hackers have also started to fake the sender name. When sending emails, it is possible to associate a first and lastname to the email address and the hackers have replaced that with names of the people who I have had emailed or who have emailed me. That means that they must have scanned all emails they found in the old inbox and now use those as spam targets. And from a spammers perspective that totally makes sense: my contacts would not expect to receive spam from me. Luckily, the emails look strange just like this one:
Hello!
New message, please read
Rushing, [email protected]!
I hope you have learned to not click on links in emails that look strange. If you did not know what a strange email might look like then here you have one. By all means, I would never send such emails!
What You Can Do If You Received Spam
The bad thing is: I have absolutely no control over the emails being sent! I can only watch my identity being abused. However, if you have received weird emails from my old address, you can safely blacklist “[email protected]”. I do not use that email address anymore and I have not in the past five years. So blacklist it right away. If you don’t know how, these links will get you started:
- Blacklist emails with Gmail
- Blacklist emails with Yahoo Mail
- Blacklist emails with GMX
- Blacklist emails with web.de
How You Can Protect Yourself
This section shows some actions you can take to better protect your accounts. As you can see, you can easily get hacked without your computer being infected, so take this very seriously!
1. Do not reuse your email login password
Do you reuse the login password of your email address at some other service? If you answered this question with yes, then you should change your email password right away.
2. Use a password manager
Personally, I use Dashlane (affiliate link, you get $20 in Premium if you sign up) as my password manager and am super happy with it. For several years now, I login to most services with a randomly generated password by Dashlane. All my passwords are safely synced through Dashlanes servers. Dashlane even informs me when there are security incidents on the services I use. Still, for the most important services such as email, Amazon Web Services or Dashlane itself I memorize the password to be able to recover without Dashlane.
While I am happy with Dashlane, friends of mine are also happy with 1Password, LastPass or KeePass. Just find a password manager that suits your needs and stick to it. And most important: go change all your old passwords as well :-)
3. Setup multi-factor authentication (MFA)
As the name says, to authenticate with MFA you need two pieces of information: something you know (password) and something you have (i.e. a device). Once set up, every time you try to login on a new device you will need to additionally authenticate with a one-time password generated by your MFA device. If I had setup MFA for my GMX account (… well, GMX does not support MFA, but any serious email provider does), the hackers would not have gotten into my account even if they had had the password. Now that is awesome!
To setup MFA check out one of the following resources:
- MFA for your Google account
- Google Authenticator app to setup MFA for other services
- Authy app to setup MFA for other services
- MFA for your Facebook account
- MFA for your Dropbox account
- MFA for your Microsoft account
Protect Yourself Now!
Don’t postpone again, go sort out your security issues now. Being hacked is really bad, as you don’t have control over what is happening. I don’t want this to happen to you as well!