Your Email Got Hacked?


Q: ¬†Someone a long time ago told me to put AAAAA as an email address at the top of my email list and that they couldn’t hack your email. I have done that for years, and so far it has worked.

Many years ago, in Africa, it was discovered that if there was a total eclipse of the sun, the beating of bongo drums would eventually cause the sun to come back out. In modern times further research has determined that the sun will come back even if you don’t beat bongo drums.

Your email has not been hacked because you are lucky, or doing something else right. Most commonly, you discover that your email has been hacked when your friends start to tell you that you are sending them very strange messages–either spam (Unsolicited Commercial Email, or UCE) or some other nonsense that you would not have written. In that case, what has most likely happened is that a “brute force” attack has succeeded in guessing your password.

If you have an email address, and use email, the global Domain Name System allows anyone to determine the Internet servers that handle your email. Once a hacker knows your password, he can then send out tens of thousands of UCE messages to other email addresses all over the world. Each of those messages will actually be FROM you, because the hacker has authenticated to your email server using your credentials.

The best protection you can provide for yourself is to use a strong password (at least a combination of numbers and lower/uppercase letters) that is long enough (10-12 characters) to make it very difficult to guess–even for a brute-force attack program. If that fails, you should immediately change your password again. Never write down a password (spend a few hours memorizing it), and don’t tell anyone what it is.

Another good strategy is to send and receive your email using an encrypted connection (Gmail makes this easy). If you aren’t using SSL to encrypt your email connections, your username and password are passed over the Internet in plain text, and anyone who can see that traffic can easily decode your password. Ask your email provider how to set up SSL encryption in your browser or email client (e.g. Outlook) settings.