CHOICE membership

Hacking horror story

We’re truly living in the digital age. So many of the most basic tasks we have to perform are done online. We can register our car, book a cruise and order the groceries for the week all with a few swipes and keystrokes – from wherever we like.


The one thing that unites all of these functions is our personal email address. From banking to baking recipes, it’s linked to all our digital activity.

So you can imagine the absolute horror I felt when I woke up one Sunday last month to find that my Hotmail account had been hacked and subsequently disabled by Microsoft.

Once I’d got my head around what had happened, I set about attempting to recover my beloved email account. I’d held the same address for close to 15 years and had – as I suspect everyone does – treated it as a bit of a digital filing cabinet. Lots of personal information and emails from loved ones are filed away in folders in my email, along with a whole bunch of concert tickets, holiday tickets, insurance policies etc. The blueprint of my life, as it turns out.

But recovering the account is where is gets tricky. You can’t just call Microsoft, Google or Yahoo! and ask them to unlock your emails accounts, thanks very much. For our very own protection these accounts have high security settings on them.

No problem, I thought. I’ll just answer the questions and hey presto! I’ll be connected once more. Oh how naive I was. Because I couldn’t answer those questions. I had no clue. ‘Who is the love of your life?’ Microsoft asked me. Answering that today is simple. But answering it as me 15 years ago was a whole other story. Fail!

‘Please tell us the date of your last Skype transaction, how much it was for, and the last four numbers of the credit card you used to pay for this transaction’. My best guess was circa 2008 and that’s all I had. Fail!

‘Tell us the subject lines of some of the most recent emails you’ve send’. Fail! And so it continued.

Suffice to say I had unceremoniously failed my own security verification. I was stuck in no-man’s land with nowhere to go. I tweeted Microsoft who was quick to respond but could only do so much due to my security failure. I spoke to a live chat ‘bot’ who was very polite but could not help.

I reached out to my social media community for advice, hacks… anything that could get me reconnected again. People were wonderfully supportive and tried to assist but it was futile. Even the automated messages from Microsoft were telling me I’d had too many failed attempts and it was time to move on and open a new email account. It was over.

Thankfully Microsoft Australia heard of my plight and over a six day period managed to escalate my issue and resolve it for me.

But I truly consider myself one of the lucky ones. During the week I was off the grid, I came across hundreds of similar stories, but particularly in the last month or so. And far fewer of those shared my happy ending.

With huge organisations being hacked every other month, I suppose it was just a matter of time before my email address was used to send spam. And I’d expect my email provider to crack down on irregular behaviour within accounts and freeze them until they can be verified.

So my tip for you all: check your security questions. If you change jobs or move house make sure your contact details for your email provider are updated. Make sure you can still answer those security questions. And check that your personal details are correct. It seems my Hotmail account had been registered by me with the wrong date of birth for 15 years. It’s no wonder I couldn’t pass the security questions…

9 Likes

Glad you managed to get it sorted out in the end Claire! :disappointed_relieved:

One way to avoid the issues associated with email accounts with these mega impersonal companies is to register you own domain and create your own email accounts, and host it somewhere reliable, so that you are in complete control of it all and can administer it yourself. Yes it does cost a bit (but not too much), but it can avoid the hassles you have encountered.

8 Likes

I agree @gordon.

I use a free email account as the front, with everything that comes in forwarded to our email account on our domain where it is filed on a hosted email server, and backed up elsewhere too.

This way our domain’s email account doesn’t raise it’s head above the parapet, and the free account can be replaced with a new one, and mail repopulated.

3 Likes

Keeping updated questions, regular changing of passwords etc are good basic account security processes.

That said, the reason for hacking accounts is not to send spam under your name - it is to use it to sign up for various services or gain access to your other accounts that use that email. Spam almost always forges the From address - so you can guarantee spammers have sent stuff using your name and email address on it in the past (as someone with an email address that I’ve had for over 20 years and published in many books I regularly get floods of mailserver rejections from exactly this).

The basic process works like this: Break into account, use that to see what usernames you might be using for other services (say your bank/paypal/ebay etc), the go to those, and ask for a password reset. The reset is then sent back to your email, and voila they have access to all your things and off they go on a spending spree.

Many compromises in the last year or so have come from two or three major database breakins. Yahoo and LinkedIn are the primary ones. This then is used to access your skype account and then microsoft other accounts.

If you’d like to check if you have been compromised through one of these breakins, then visit

Enter your email address and it will let you know which of those DBs they have used.

4 Likes

Yep well worth checking all your email addresses and also worth registering your email addresses at the site to pick up if they appear in future breaches as I advised in my topic Some more Data Breaches of 2016, 2017, & 2018

5 Likes

One major problem with security questions is that there’s always a possibility that whoever is trying to hack into your account also knows the answer to the questions. I have a special pin number that no one knows but me that I add to the end of every answer, so if the answer was Queensland, I’d put the answer as Queensland 1234 (Not my actual pin number by the way). That adds an extra level of security. I always choose questions that delve into my past with static answers and not questions that refer to my present moment in time. Questions like what was your phone number when you were a child, or what was the name of your first pet, etc are easy to remember because they’ll always be the same for me. That way I always know the answer and don’t have to remember who my next door neighbour was flirting with in 2007 or what my cat’s favourite brand of catfood was before it passed away and I ended up with another cat who liked a different brand. Always check your acount settings and update them when you get a new phone number as well as some places try to send you verification requests via text message. Not really very helpful if the text messages are going to a phone number you no longer have access to.

11 Likes

The answer is not to use email accounts to verify your identity on other accounts.

I verify/log-in onto each site separately (with different user-id etc.) without reference to any other log-in. That way, if one account is hacked it doesn’t take down all.

1 Like

Absolutely agree with Gordon. Your email address is more than just that and we all rely on them for communication with everyone. If you register your own domain you can set up different email addresses for different needs (ie. use the name of the company you’re dealing with as the address telstra@yourdomain.com.au) If you receive email to that address from anyone other than the company your set it up for, contact that company and let them know. The more control you take, the safer you will be. The beauty of your own domain is you can take it with you… if your host turns nasty, transfer it to a new one and never miss an email… just make sure you backup regularly.

2 Likes

I notice some sites I use allow you to log in using Facebook. I don’t have a Facebook account, but presumably hackers could just as easily guess your password and take control using FB. And pinch your FB identity & social life.

Another vulnerability I noticed - I use Firefox - and use its Remember Password facility for inconsequential sites. I have discovered the passwords - Tools - Options - Security - Saved Logins - Show Passwords. There is the web address, User name & Password. Presumably these are stored in my Profile. There is an option to secure this access with a master password - how many of us know that or bothered with it?

I had a similar story to Claire when I attempted to use Ebay after years of inactivity - remember a phone number from 1999? In the end my husband got what he wanted through his son who is an EBay tragic.

I had a hotmail account I used when I wanted to be anonymous - it got strange messages sent from it and I managed to get it back, but returning to it years later I was blocked due to too many attempts at the password - but not by me. I am guessing there are bots that patiently try passwords.

Security questions - I make up my own, if that is an option, because I can get something specific, but un-guessable. My husband’s first wife died suddenly, as she had the passwords to everything, he couldn’t even get email. By nominating something he would know he can at least get access to his email account to receive bills etc. Because everything was in her name eg the phone, only she could authorise anything, getting it into her husband’s name was a long process.

2 Likes

At least you’re not alone @ClaireGould, even David Beckham has hacker problems (credit to @vax2000 for the link).

2 Likes

Claire good points. The real issue though is that most people use the same password on more than one site. Hackers get into low risk sites ( Gumtree, community groups, forums etc) to gain the email address and password. Using the email address and password they then hack into the email account to find out who the user does business with. Then using the same credentials they access the users very important information. If everyone used a unique password for each site hacking would be reduced to negligible. PS use a password manager to keep track of password words and login credentials.

2 Likes

I use a desktop email client Windows Live Mail for my multiple email accounts which has better security because the emails I send and receive and any attachments are stored (Backed up) on my computer. Read and Compose Emails offline etc.

  • Read more - What Desktop Email Clients Still Do Better than Webmail
    I use different email accounts, 1st account is used for personal stuff like Online banking, corresponding with the phone/ Electricity company, known family and friends etc,and is my long term email account.
    The 2nd Account is used for when you have to provide an Email address to enter competitions or download something etc, and if I start to get a lot of spam etc, the email account can be deleted and a new email account can be made.
    As for Security questions, Your Mothers Maiden name (Surname), Favorite pets name etc, should be something easily remembered decades later.
1 Like

You do not have to give truthful answers to the secret questions. It is better not to do so.

Use fictional answers to the questions. For example the answer to 'Where were your born?" would be something like ‘Paradise’ or ‘Valhalla’. The more fanciful the better. A hacker might learn where you were actually born, but will not be able to guess your made-up answer.

Just start and keep a list of the secret questions together with your made-up answers. You don’t really have to keep this list secure - pin it up on your notice board next to your computer for easy reference. Hackers don’t hack using your personal computer - they hack organisations’ computers or they buy data from employees of organisations.

6 Likes

Agree Gordon. We have had a family Domain which we renew for 10 year periods, split between family members makes for a very cheap option.

1 Like

For sure. An important reason not to use true answers to secret question is that you are creating a dependency between two different organisations or web sites. It is like using the same password across multiple web sites.

If you give the same truthful answer to “Where were you born?” to your bank and to some random web site that you signed up with then you are putting them at the same trust level - which is very unlikely to be a good idea.

If the web site is hacked or they simply aren’t as reputable as they should be or they get taken over by another organisation or … then a secret question for your bank is now available to someone who shouldn’t have it.

Since you can’t change where you were born, better just to invent something different each time i.e. for each different web site and write it down.

3 Likes

Many banks, for some reason, have a standard ‘secret’ question - what was your mother’s maiden name? Easy for anyone to find out on the good genealogical sites all over the place. Friend had handbag stolen (whilst she was in the shower!) and they had her mother’s maiden name within a day, to raid her accounts.)

When I asked my bank to replace that question with ‘what is the cat’s name?’ they just added it to the first one…dopey. (Anyone who even knew I have a cat might triumphantly use his name, but I am referring to a cat I had in childhood, and I am the only person living who can recall her name.)

My password system is based on four words, each from four different languages other than English, with an easy (for me!!) code for which letter is replaced by a number/symbol, and which letter is always in caps. This is followed by a number based on numberplates of friend’s cars, mostly cars they don’t have any more - so I can remember a password simply by referring to a written list, e.g. ‘Choice - g/h’. ‘Bank - f/r’. Works for me, with over thirty passwords at last count, some of which I might only use once a year.

Hi Claire,
I can recommend using an IronKey usb. It is used by the military and most Intelligence agencies. It has a password and is hack proof. Any more than ten attempts and all the data is permanently wiped. All you need is is a portable edition of Firefox and Keypass. I only leave it in the computer when I’m using it online and remove it when I’m not using the computer. The beauty with this is that you can have a password 50 characters long with special characters that will be a nightmare for hackers to crack. You can also add secret questions (and their answers) for each individual website. I love it. It has made my online life so much easier.
Les

3 Likes

An even bigger (and more recent) horror story:

2 Likes