Except of course I never had a hotmail account.
But I know a lot of people who do… and who also have yahoo accounts, gmail accounts, and probably other email accounts as well – which they only access via a web browser.
The real story title is: “Help me – my browser-based email has been hijacked!”
First step in the cleanup – triage. How bad is the damage?
If this is your primary account – the one which you use for everything (online banking, shopping, brokerage, insurance, social media and so on)… you’re potentially in very deep trouble. For most folks issuing the help-me message, this is their primary account.
Now, let’s find out just how bad this is… can you reset the password? You should do so, and ditch the easily-guessed password you were using. Here is one password generator; there are many others. But get clear of the easy passwords.
Next, check your webmail system for forwards – this is hiding in settings. Are you forwarding your emails anywhere? Do you recognize every account listed? If not, you have a substantial headache ahead, because your newfound pen-pal is reading all your mail… including the one just generated by the system which confirms you just changed your password. Next step – remove the unknown mail forward assignments… and change the password again.
Now comes the painful part – you need to immediately reach out and change every password on every site where you used the compromised account as your primary email contact. Remember – your secret pen-pal has the necessary codes to reset your accounts, and may already be doing so. If you can’t get in anywhere… start calling or using other methods.
Still feel that easy password was a good idea? You should use randomized passwords everywhere, and never the same one on multiple sites. (Easy for him to say, but if you read down the blog, you’ll see I went through the same exercise a few months ago, albeit for a different reason).
If you want to save this headache in the future, a good password is a good starting place. I tend to go one step further; my primary email is not accessible via web-based systems, and can only be accessed by a dedicated email client. That’s right, I use a separate program just for email. For most of Internet history, this was the norm; web-based is a recent “convenience” – and is vulnerable to all the gotchas of web-based clients.
I use and recommend Forte Agent and Mozilla Thunderbird. Forte Agent I’ve used since its beginnings – but this is not an easy package to master, and many are turned off by having to pay for it.