11-27-2011 09:43 PM
Some of my friends, their Hotmail account were being hacked and use to send spam mails. Some of their account password were even being changed and they are unable to access it.
Some of them contacted Microsoft to assist and have their password reset, some of them created a new account and re-add their friends.
Rarely, I would even receive friends invitation (accept / decline, etc.) from unknown people with suspicious email address. When you accept them, you would never see them online or the account is not available in facebook or friendster.
In the past, I would even receive junk message (link to threats, etc.) from friends account through Windows Live Messenger. So far I have not receive this for quite some time, so it's ok. I would advise friends who are affected to change their account password, but I am unsure whether would it work?
Why does this happens and how to protect our account from being attacked / make use of?
(Current: W520 4284-A99) (Refunded: W510 4876-A11)
Does someone’s post help you? Give them kudos as a reward, as they will do better to improve
Mark it as solved if the solution works for you, so it could be reference for others in the future
Dolby Home Theater v4 (ThinkMix V2)!
Solved! Go to Solution.
11-28-2011 01:34 AM
Password compromises of web-based services most often occur because of three reasons:
My suggestion would be to avoid invites from suspicious accounts on instant messengers, social media and so forth. If you get a suspicious message from someone you know, try contacting them out-of-band (i.e., using a different means than they used to contact you, such as by sending them a text message if they sent you an email) to notify them about the suspicious message(s) you received.
Changing the password on a compromised account often works, but it is always a good idea to check with the particular service provider to see if they have any specific or additional recommendations about how to secure the account.
11-28-2011 05:20 AM
Great suggestions. One of the things I find troubling is that many of these free services - facebook, gmail, etc, ask for additional personal information to help validate your identity. I struggle with this a bit as it seems counter-intuitive to me. If some of these sites can be hacked, do I want them to store additional information about me ?
So far, I resist adding an more information. Am I being too cautious?
11-28-2011 06:43 AM
11-28-2011 08:24 AM
Although Aryeh addressed your question on the why and how password compromises occur, I'd like to add additional information about the issue you raised regarding compromised Hotmail accounts.
"Some of my friends, their Hotmail account were being hacked and use to send spam mails. Some of their account password were even being changed and they are unable to access it."
The Hotmail team has incorporated security features designed to protect and recover a Hotmail account. These features include those listed below. In addition, the Hotmail team has rolled out a new security feature that will prevent choosing a very common password when recovering a compromised Hotmail account, signing up for a Hotmail account or when changing your password. Also, if you are already using a common password, you may, at some point in the future, be asked to change it to a stronger password.
1) Designate an alternate e-mail address. Be careful when entering the alternate e-mail address as it will need to be confirmed.
11-29-2011 02:22 AM
When the questions one is asked seem to be... intrusive, I'm a firm believer in providing an answer that I can remember, but is not necessarily truthful. For example, if asked for my birth date, I may give the year I was born, but specify January 1st for the date.
More elaborate answers can be given to questions, especially those required to reset a password, but it is important to store those answers safely offline someplace, so in the event you have forgotten your password or need to change it, you will be able to do so.
In a home environment, I personally feel that an address book—the actual paper kind that you write in with a pen—stored near the computer (but not at it, or at least, out of sight from it) is a great place to keep mnemonics and tips to help you answer password recovery questions for web sites. Keep in mind, though, that you should not write the actual answers to the questions in there, just something that helps you remember your answer.
11-29-2011 08:29 AM
"In a home environment, I personally feel that an address book—the actual paper kind that you write in with a pen—stored near the computer (but not at it, or at least, out of sight from it) is a great place to keep mnemonics and tips to help you answer password recovery questions for web sites. Keep in mind, though, that you should not write the actual answers to the questions in there, just something that helps you remember your answer."
I've been using this method at home for many years, not only as a reminder for password recovery questions but also as a reminder for web site passwords. Never use the same password at every site. If that site should be compromised, your account information could be readily available to the hacker. Although there are password generating programs, I got into the habit of creating my own unique password for each web site. (This is probably a result a work environment that necessitated changing the password every 30 days. )
11-29-2011 11:38 AM
Never use the same password at every site. If that site should be compromised, your account information could be readily available to the hacker.
This is very good advice.
If it is too much hassle to use a different password for every site, then use passwords for different types of sites, e.g. use a very strong password for financial sites, another strong password for email accounts, and an easier password for general site accounts.
11-29-2011 12:42 PM - edited 11-29-2011 01:00 PM
Let me add other techniques that are being used by the bad guys to hack or steal other people's email accounts:
Phishing - is a form of social engineering broadcast attack focused on stealing credentials or identity information from any potential target. You've already cited an example of this technique -- when you received friend invitations from unknown people with suspicious email addresses. That's how others start their phishing attack.
Weak passwords - some users use common words as their passwords -- which is not a good practice. Avoid using simple words like "password", "12345", "admin", "54321", etc. as your password. It will be easy for the bad guys to guess your password if you use a weak password.
Dictionary attack - this is somewhat related to weak passwords. The bad guys will try to use common words to try to guess the password of your account.
Other technques are quite old-fashioned already, but they still work. So you should still be aware of the following:
Eavesdropping - is the act of secretly listening to the private conversation of others without their consent. One example is if you're in a public place, the person besides you might be "secretly" listening to the things that you're saying while you're talking to a friend via your mobile phone, face to face conversation, etc. -- waiting for some important information that you may say that might be of use to them.
Shoulder surfing - this is (or should I say was) very common on Internet cafes wherein the person besides you is waiting for you to type in your password and will monitor the movement of your fingers so that they will determine your credentials.
If you're the kind of person that writes their passwords or important information on a piece of paper, make sure that you store it on a safe place (not under the keyboard, on a ref/monitor post it, etc.). Also, be wary of the "dumpster diving" technique that's still being used by some bad guys.
Dumpster diving - is the act of digging through trash in order to obtain information about a target organization or individual. To prevent dumpster diving (or at least reduce its value), all important documents should be shredded or incinerated before being discarded.
And of course, the last and most important thing is end-user education or awareness. There's a good saying that is very common on social networking sites: "Think before you click"
Hope these help.