Damage Control - third party gains access to emails

Random

What would you do if a third party had access to your emails? They only had read access and could not send / delete any. They could read all sent and received emails.

They may have had access for up to 6 months.

This email account contained all personal emails - i.e. things like Ryanair confirmations, discussions with an mobile provider about accounts, confirmatins of various online orders, all the usual stuff etc

What's your first step after you've changed the password and made sure the same thing can't happen again?

Do you try and go back through all the emails you've sent / received to see if anything crucial was there?
Do you just change every password for every online service you ever had?
Do you just hope for the best and assume any damage that could have been done is done already?
Do you start asking for new flight confirmation references? Emailing anyone who might have emailed you something important?

Any feedback welcomed.

IH77

I think my steps would depend on who the 3rd party was. If it was someone I didn't trust (which is probably the case now if you've just found out they've been accessing your email without your knowledge/consent) then yes I would be a little paranoid.

Personally, I am careful about what I keep in my email in any case, emails that contain passwords I delete (as I have a fairly standard password for most online things with slight variations). So if those type of emails have been accessed I would go about changing passwords in case there is a risk damage may still yet to be done. I think if someone really wanted to they could get enough information from your online accounts etc to do some real damage (e.g. if you’ve ordered something online the site may have retained your credit card details for your next visit, that sort of thing)

Out of interest, is this a hypothetical situation or real? I am interested how someone can have access to read your emails but not send/delete any?

Random

If a person has access to all your incoming and outgoing emails then it doesn't matter what you do or don't keep as they might already have seen it before you delete from your inbox.

Like it or not in todays world a lot of sensitive information or potentially sensitive or disruptive information (in the wrong hands) is passed by email.

What would you do about someone having your flight references or hotel booking confirmations?

IH77

Random wrote: »

What would you do about someone having your flight references or hotel booking confirmations?

I think it depends on the situation. If you are worried that this person will know when you will be away from home, where you will be staying, for how long etc then you might need to change your plans. If it is from flights/trips already taken then what can you do?

Agree that a lot of sensitive info is sent by email and that if there is a breach then harm can be done. I'd be worried about things like identity theft, particularly if I didn't know who it was that had accessed my emails.

Random

Not even so much a concern about when someone would be away from home in future trips .. more like them having access to change flight details etc?

IH77

I see what you mean. Do you think the person would do this? You'll have to confirm all your flights (online if possible) regularly, do online check-in 14 days before if with ryanair, that sort of thing if poss. - Bloody annoying I know.

probe

gmail will work with Stina Ehrensvärd's Yubikey shortly! If you use multi-factor authentication, it doesn't matter if some prat gets their hands on your user ID and password, even if they use a keyboard logger. They will still need to squirt a random hash that changes every minute, into your log-in sequence, in addition to knowing your user-id and password, before they can get into your account. If you keep the Yubikey on your keyring, chances are you'll know fairly quickly if your key has been stolen.

The main financial risk with other people getting acces to your emails is probably making reservations with Irish hotels. On several occasions I have received reservation confirmation emails (unencrypted) from Irish hotels along the lines of "Dear Mr Probe, thank you for your reservation. bla bla bla If you don't show up, your xxx card number 9876 7654 9999 0000 expiry date 09/2055, CVV 0876, cardholder name MR X Probe will be charged with €99.00 for the first night."

I invariably cancel my reservation at these establishments (if Ireland had a decent banking system they wouldn't be given access to the card networks) and instruct my bank to issue me with a replacement card number as a precaution. While I end up with a nice new card every time, and am forced to change my hotel plans, I have to say that Ireland remains the most CLUELESS country when it comes to data security/privacy awareness on the planet.

The other extreme of stupidity is the online retailer who in their confirmation email for a transaction doesn't give you the last four digits of the card you used for the transaction. If there is a problem with the transaction, their website often asks for your card number to "verify" your identity. You might have used your Visa card or a Maestro..... The four digit clue would be intelligent.

http://www.yubico.com/applications/software/