[lug] Hacked e-mail accounts
Aaron Nichols
anichols at trumped.org
Sat Nov 13 09:31:21 MST 2010
On Sat, Nov 13, 2010 at 8:54 AM, John Dollison <johndollison at hotmail.com> wrote:
> I've been advising my friends that everyone who clicked on a link sent from
> a hacked e-mail account should run a full system scan, in case the website
> tried to download any malware when they clicked on the link. And I've been
> advising the victims that their best bet is to change their e-mail password
> and any other accounts that use the same password. Also, if they had any
> other passwords that were e-mailed to them (like if they registered for any
> online forums, shopping sites, etc.) then those will need to be changed as
> well, since the hacker could have read/scanned all their e-mails.
Another attack vector to consider is password recovery mechanisms.
These have been used pretty successfully in the past to attack
accounts. Using common information (often your only option) that can
be found on social networking sites means it's usually a lot easier
than actually cracking your password to just change it.
Suggestions for this are to use difficult to guess information,
append/prepend some suffix/prefix to the information so it's not the
real information verbatim, or use something completely random and
actually track your password information in something like keepass.
In any case, if the account has been accessed, changing the password
recovery information is as important as changing the password.
Aaron
More information about the LUG
mailing list