email account hacked

pbowenroe

An email account of mine was used to send several spam emails. Any idea how access was gained to it? I don't think my password is very guessable. The emails contain several different links. I haven't clicked them as yet.

FSL

Are you sure they were sent from your account using your SMTP server and not just having your email address in the from field?

pbowenroe

Honestly I don't know as I haven't a ****ing clue about stuff like this. I had to unblock my email account as the person who received all the spam must have complained to hotmail.

FSL

In that case change the password to a more secure one. Not dictionary word(s) and include special characters. Also don't use the same password on any other accounts.

pbowenroe

thanks a lot man

mark182

This is after happening to my email too, I've already heard of 3 similar cases from friends in past two days too. And some research i did has shown that its happening a bizarre amount of times world wide in past two days. So everyone just be cautious of your emails. And change you're passwords.

Anyone explain how something like that has happened though?

GaryIrv93

Email accounts aren't hard to hack into. If someone knows you email address, they can type it into the the login page, then use the feature ''forgot your password?'' to continue from there and make a new password, then log into your account and pretty much do what they want with it. Did the previous password work when you tried to log in after you found out about the hacking?

mark renton

Many many different ways of sending an email as someone else;

1) Download virtual box / setup linux and you can then send email where you can add the from address yourself

2) Tabbed browsing - If you are logged into email account and use tabbed browsing, then go to a site and click on a link it in possible for that site to obtain your email session cookie from the other tab and login to your email as yourself

3) Hack email account password - brute force/dictionary attack

Im guessing most email hacks these days are 2) - be safe - always use a condom!!



Also the usuals / logging on in a internet cafe where password etc is saved / using same password for all logins

mark182

GaryIrv93 wrote: »

Did the previous password work when you tried to log in after you found out about the hacking?

Only my new password works, my original one doesnt any more, which suits me grand. Since the password change it stopped sending spam anyway because it was sending like crazy up until then.

Im fairly familar with computers but just not something like this, so thanks for the responses, I'm trying to find a way to explain it to my not so online safe friends, and was struggling to find logical reasons.

GaryIrv93

mark182 wrote: »

Only my new password works, my original one doesnt any more, which suits me grand. Since the password change it stopped sending spam anyway because it was sending like crazy up until then.

Im fairly familar with computers but just not something like this, so thanks for the responses, I'm trying to find a way to explain it to my not so online safe friends, and was struggling to find logical reasons.

I know how you feel - I've had my Facebook hacked before and can be pretty scary. You've no idea what someone could do with it once they're in. When I found out I was going 90mph trying to get back in, switching to a new password and a lot of other hassle. Luckily though nothing was done to it.

After being hacked, then I'd definitley suggest improving account security. There should be a feature on every account to enable you to do that.

Gary,

techie

GaryIrv93 wrote: »

Email accounts aren't hard to hack into. If someone knows you email address, they can type it into the the login page, then use the feature ''forgot your password?'' to continue from there and make a new password, then log into your account and pretty much do what they want with it. Did the previous password work when you tried to log in after you found out about the hacking?

How is that going to work, when they click on Forgot Password it will email a Security Link to that email account , which you have no access to, to read and act on ??????

tricky D

john47832 wrote: »

Many many different ways of sending an email as someone else;

1) Download virtual box / setup linux and you can then send email where you can add the from address yourself

2) Tabbed browsing - If you are logged into email account and use tabbed browsing, then go to a site and click on a link it in possible for that site to obtain your email session cookie from the other tab and login to your email as yourself

3) Hack email account password - brute force/dictionary attack

4) Spoof it if you have an email client which allows that. I do it now and again for some client newsletters.

mark renton

tricky D wrote: »

4) Spoof it if you have an email client which allows that. I do it now and again for some client newsletters.

See 1)

h57xiucj2z946q

john47832 wrote: »

2) Tabbed browsing - If you are logged into email account and use tabbed browsing, then go to a site and click on a link it in possible for that site to obtain your email session cookie from the other tab and login to your email as yourself

Its not due to tabs. You cannot steal cookies from open tabs unless there is a browser flaw. Its possiblle to steal cookie via xss weakness on a webpage.

It's also possible to perform actions under a users account (but not steal login cookie) via CSFR. If you create a webpage and have it load an image of Facebook, your browser will source a cookie if any for your webpage's domain, and source facebooks cookie also. However your webpages cookie is only available server side to your domain. Facebooks cookie is only available to Facebook.com. This is how browsers work! But its possible for your page to load URLs which perform requests/posts against pages which could mimic actions on someones account (as the cookie is safed). However most big sites use tokens which change after each post/request which is an effective countermeasure against CSFR, therefore minimising malicious intent.


Alot of passwords are stole from weak sites where people register their details. Login databases are stole, and their email address and password for the weak site is same as their email account login.

Alot of users have malware also that steal credentials.

tricky D

john47832 wrote: »

See 1)

*nix not even needed. Use Pegasus on Windoze.

My Hotmail account got done about 18 months ago, as did several other people I know. For a long time I suspected that Hotmail's account database may have been compromised. Then I remembered one occasion when I used it on a different machine. I've no evidence that it had any malware but it's the only thing that makes sense to me as I've never disclosed the password to anyone.

mark renton

Adriana Whining Tutorial wrote: »

Its not due to tabs. You cannot steal cookies from open tabs unless there is a browser flaw. Its possiblle to steal cookie via xss weakness on a webpage.

Is xss dependent upon open session in browser?

h57xiucj2z946q

john47832 wrote: »

Is xss dependent upon open session in browser?

For session stealing, it only need valid cookie. These can remain when tab is closed. It is afterall how you are already logged in when you return. But xss is mostly used in social engineering attacks where the user is tricked into doing something. This might even be oclicking an URL, with a payload, therefore creating an open session, and at same time grabbing cookie.

Halo Kitty

My hotmail account has been compromised along with a few of my friends, Windows live asked for my mobile number and texted mean access code to enable me to create a new password,
Hope this works, as i seem to have sent out alot of spam to friends, and maybe to others..