Your email account is not accepting your password. Your friends are asking how you got stranded in London and whether you got the money they wired. Your mother wants to know why you are sending out emails with nothing in it but a link.
Surprise, your email has been hacked. Perhaps you clicked on a link in an email from a similarly affected friend and downloaded a password-stealing malware. Or you were tricked into telling a scammer your password. Or, you were using the same password across several sites, and the attacker had found the password elsewhere.
Why you, you ask? Maybe your email address was on a spam lists or in some stolen database from some other site. Depending on who you are, or who you work for, the attackers may have specifically targeted you. Or perhaps you were just (un)lucky—the attackers cast a wide net and you just got caught.
Okay, so you are hacked. Now what?
The first step is to regain control. If you are locked out of your account, try the password reset process by clicking on the “forgot password?” link. If the attacker hasn’t changed your password reset or your password hints, then you can just click on the link and get back in to your account. That may not work if the attacker has already changed the reset address and security questions.
Most email providers offer some high-level process to help users regain control of their accounts. Of course, depending on the provider, that process may be easy or difficult. Hotmail/Outlook.com users can answer a few questions to verify their identity. Google requires more detailed information in order to verify you are the owner.
Maybe you were lucky and the attacker didn’t lock you out of your account or delete any of your messages. In which case, your first job is to change your password.
Change Your Password
Once back in your account, it’s time to change that password to something strong. “Password1,” “letmein,” or even your last name backwards are not good passwords. Pick a long, weird password, with a mix of characters, upper and lower case letters, and numbers. An obscure phrase would work.
Check Your Password Resets
Did the hacker change the email address listed as the recovery address? Change it back to your own, and make sure the attacker didn’t add any additional ones.
Make sure the security questions are still questions you know the answers to. This may be a good time to change them so that someone just looking at your Facebook page won’t be able to just guess the answers.
If your email provider allows you to automatically forward a copy of your messages to another address, check to make sure the attacker didn’t set that up with some other email address.
Change Your Habits
Think about what you were doing before you got hacked. Clicked on a link? Didn’t have antivirus running to detect that malware? Reused passwords across several sites? Told someone your passwords? Let’s make sure not to make that mistake again. Be careful about what sites you visit, don’t click on random links if you don’t know what they are about, and be paranoid about your password.
Don’t ever share your password with anybody!