Friends complained this morning that I’d spammed them from my Hotmail account, pimping Acai berries. When I logged in, there was indeed a spam email in my Sent items folder. So someone had got in - I presume.
Trying to work out what method was used to crack it, but have no idea.
Things that may be pertinent:
I rarely use the account - only use the address for mailing list signups
I have only ever filled the password in on the Hotmail login page (or something that looked identical to it) - I don’t use Messenger and haven’t triggered contact searches from social networking sites that require the hotmail password
I have only ever logged into it from home, using a WPA encrypted wireless signal
The password is not a word - it’s something like b0ll0cksy0
This is the same password I have had since 1996
In the last two days I have used Avast and Spyware Doctor to run full scans on my laptop, which came up clean
I’m guessing it was a phishing scam, but I really honestly have not logged in to the account in any way at all, except as detailed in point 2. It could have been a trojan maybe, except for point 6. I realise that having the same password for nearly 15 years is dumb, but is there really the possibility that someone was hammering away at the account to do a brute force attack?
Or is there some other possibility I’m missing here?
Do you use the same password for any other accounts such as for messageboards, etc?
I have heard it suggested (perhaps here) that hackers have broken into the databases behind some forums and stolen the account data. Since many people use the same password for a variety of accounts, they can use this data to break into some people’s hotmail accounts.
Same thing happened to me awhile back with a very old and rarely used hotmail account (a friend told me he was getting spam from it). I’m a full-time Mac user (home and work), I’ve never had anything of the sort happen, and thinking back to the last time I used it, I’m 99% sure that the last time I had logged in was on my dad’s previous PC…he’s not the most saavy of computer users, so I’m pretty sure it was a spyware deal. Is it possible you logged in at some point from a PC that didn’t belong to you?
I killed the hotmail account. The worst part was when my friend forwarded the email, and I got to see all the people that I used to communicate with years back on that account that got the email. College professors, etc. I can only hope their university spam filters blocked it.
Both Hotmail and Yahoo have had leaks of their passwords in recent months and ONGOING. They don’t want your to know of course. Google for it and you can confirm what I am saying.
It’s not a malicious as some things. What they do is send mail from your account to everybody in your address book and make it look like it came from you. The anticipation is that people will read and respond to the link to a sales site. I can’t see why a person would ever trust to buy from such a site because it is so clear that the mail is fraudulent to begin with.
You should be able to end it by changing your password. They don’t just use the email addresses that they have access to. They send new mail from the account in real time instead of spoofing headers to make it look like you.
I talked about this in a recent thread I started. This is very likely the case in jimm’s intrusion. Even if you haven’t used that email/password combination on anything in the past 13 years, it could still be out there somewhere.
I had made that comment before. I’m sure others have as well.
When dealing with passwords on the internet, you should not use the same passwords in systems where they have the info of another system. For example, when you sign up here, you are asked to create a password and supply your email address. If the password you use here is the same as your email account, a hacker can steal the SDMB database info and login to your email account.
Your email account should have a unique password that is not used anywhere else.
Also, systems which use your email address as a login ID should have a unique password. For example, the Facebook and Netflix logins both take an email as a login. So a hacker who steals the SDMB user database could potentially use those emails/passwords to login to your facebook and netflix accounts.
Once they get into email, can’t they “I forgot my user name” and “I forgot my password” on Paypal (or whatever) and get it emailed to them automatically?