Note: This post is going to venture out from the fields of mobile and wireless topics into the dense, dark forest of personal data breaches. It's inspired by an email from a good friend. They found a lot of advice on the web on how to prevent privacy breaches, and posts that claim to offer post-breach advice but go on to espouse mostly preventative measures. Let's get into it.
A friend writes me an email, stating that her roommate's Gmail account has been compromised.
A message went out to all of the roommate's contacts, purporting to ask for people to send money because they lost their wallet while traveling in Nigeria. If someone replied, they were replying to a disposable address on another email system, and likely asked to wire some money. The "relative in need of urgent money overseas" scam is far from new, but often effective. Travel is cheaper than it once was, and many can relate to finding themselves lost without their wallets.
The account is recovered and the password changed, but now the concern is what information was gleaned and copied out of the account—what is "out there" now, as the friend puts it. The intruders tried to delete all of her current email, likely to cover their tracks, but it could be easily restored to the inbox (Gmail holds items in "Trash" folders for around 30 days). But, as often happens, there was a new job, and an upcoming move, that an identity theft could really jinx. What do you do next?
It's a really good question, because while many email hackers are similar in methodology, some are more hit-and-run, and some are aiming at long-con impersonation and turning out every account and line of credit they can find. I've helped out about a half-dozen friends and relatives with email intrusions, including my wife. I am not an information security expert, a lawyer, an officer of the law, or someone who has a time machine you can borrow. But here is what I tell people who want to know what to do next, after their email has been opened up and sorted through.
One more note: A significant portion of the text below was included in the original email to the friend with the unlucky roommate.
Change any password that is the same as your email: First off, if any of your passwords are the same between email and banking, or email and Facebook, or Facebook and banking, you get the picture: change them imediately. You may have regained your email account and changed its password, but it is an unwritten assumption that people use the same passwords between accounts. This is partially how Mat Honan lost everything to hackers, and how my former client Gawker Media was split wide open. This is the first thing you do after getting your email back.
My Experience and Assumption About Most Email Hacks: They are muggings more than burglaries: one and done. Email hackers want to get in, send out a link, and get money sent to them through a single way they know how to get money—in this case, an email address that probably hooked up to a wire/cell transfer service. In other hacks, it's an eBay purchase to a drop site from which they can pick up.
They are not, generally, genius social engineers looking to re-mortgage your house, clone your identity, or open a line of credit on your name. Just look at the text in their spam-bait email. They are going to do what they did to your sister to 26 other people this week, and the money they get is quick, hard to trace. They do not have time to play Sneakers with someone whose resources they do not know. Those people are the ones going through your trash (I kid! Perhaps!).
You will not track down who did it: They will have moved to another IP address, another VPN network, a different internet café. Nigerian scammers are so prevalent because it is really hard to track down scammers in Nigeria. If you have incurred theft or definitive loss of data, you can and should file a report with your local police, if for no other reason than proof for insurance and future banking needs. But your energy is better spent on cleaning up. Speaking of which!
Write a very short, to-the-point clean-up letter to your contacts: "This account was compromised. Please disregard and delete any messages that encouraged you to (click a link/send money). My apologies for any inconvenience." You don't want to spend time telling everybody that you are fine now, and they do not have a lot of time to read about an email drama. Carry on.
Clean out your contacts, put everyone in BCC field: Make sure you don't end up emailing old bosses, roommates, and Craigslist correspondents next time this happens (if it happens). In worst-case thinking, too, if a hacker inserted a name or address in your contacts so that email would make it through spam and priority filters, you don't want them in there. Plus, are you not overdue to clean out those old never-seen-anymore names?
Most of all, put all the recipients in the BCC field. You do not want to start a reply-all spam chain. You do not want your Aunt Gertrude to discover you have emailed Cousin Maude even once, because they loathe each other and will bring it up the next time they see you.
Search for and delete passwords, social security numbers, account numbers, etc. from your email archives: Run your numbers and major passwords and license number and anything else personally identifiable and important through your entire email archives. This way, you know what details an email hacker might have had access to, and you can be relieved to learn what was not in there.
I just checked myself. I am a freelance writer who sends out invoices—oh, sweet providence, my SS# and bank account #s are in tons of emails. Time to start deleting!
Contact your banks, credit cards, and change your online banking passwords: Just in case, contact your money-holding and credit-granting entities and let them know they should keep an extra-focused fraud watch on your accounts for the next few weeks or months. Most importantly: get a number for the issue, and get the name of the person you talked to.
Some banks and cards can actually elevate their fraud detection, which is nice. With the others, you will at least have a record of notification, in case anything goes wrong later on. In any case, watch your statements carefully for the time being.
Securing after the fact: You have a mobile phone of some kind, right? Even if you have a regular ol' cellphone and despise the attention-destroying trend of smartphones, turn on two-factor authentication for your Google account.
This sounds really nerdy, but basically, it tells Google that “Anyone who tries to log into my Google/Gmail account needs to also be able to turn on my phone and run this app” (or receive this text message, in the case of vanilla phones). It‘s a bit annoying when you first log into your home computer, your iPad, and your work computer and have to pull your phone to type in a 6-digit code, after you have already entered your password. But! You can set your own computers to not bug you for the code again for 30 days (or sometimes longer), give yourself backup codes if you don’t have your phone handy.
Most of all, when some misguided soul somewhere in the world guesses or intercepts your password? They still cannot get into your account, because they don't know the 6-digit code that changes Every. 60. Seconds.
(Don't use a Google/Gmail account? Yahoo offers two-factor authentication with SMS and security questions, as does Outlook.com and AOL, well, maybe now is a good time to consider a switch. Just tell everyone your account got hacked!
I hope that helps someone out who comes across this page in the sad, frustrating moments after an email hack. It helped my friend out a bit.