What to Do If Hackers Steal Your Online Accounts
Has your Web-mail or social-network account been hijacked? Join the (miserable) club.
Stolen accounts—caused by aggressive phishing attacks and distribution of malicious programs to collect passwords—have become a plague upon the Web. Spammers want them so their messages can get past spam filters. And crooks, who often lock out the true owners by changing their passwords, use them to find and get inside financial accounts or to impersonate the owners and weasel money out of their friends.
“This is big business. There’s billions of dollars at stake,” says Dan Lewis, senior project manger for Windows Live Hotmail at Microsoft. “There are some really smart criminal organizations doing this.”
It’s not hard to recover an account that a reprobate is co-habiting with you: Simply change your password to lock them out (and scan your PC for malware that might steal your new password). But it’s trickier if someone has taken over your account entirely or the site has temporarily shut you out because they believe your account is compromised. Many people describe long and painful processes to get their accounts back. There’s no phone number to call or human to speak to. You click and hope for the best.
The most common roadblock to a quick recovery is proving you are the real account owner, the sites say. Service providers consider the worst outcome to be handing an account to the wrong person. So if you can’t prove it’s yours – maddening as that may be – you will have no choice but to start all over with a new account. Here’s what to do if one of your online accounts is compromised.
Last week, Microsoft quietly undertook an effort to clean out hijackers from Hotmail en masse. It displayed a warning message to people whose accounts it suspected were compromised and required them to reset their passwords, using a method that would be difficult for a scammer’s automated systems to operate. Mr. Lewis said less than 1 percent of accounts were part of the surprise purge—which is nevertheless a big number of accounts, considering Hotmail maintains an estimated 360 million of them.
Account owners had to prove their identities by obtaining a code via an alternate e-mail address, by answering a secret question or supplying other personal information. If an account owner was not able to regain gain access using an automated process, they could get help from Hotmail’s online support staff to validate themselves and reset their passwords. Users who can prove they’re the legitimate owner will get access within 24 hours, according to Hotmail.
In a second phase, Hotmail on Monday rolled out features to make account recovery easier in the future. It’s asking users to supply cellphone numbers where Hotmail can text them with an extra security code and to identify the devices they use to access Hotmail—their “trusted PCs”—to help the service know it’s them logging into the account.
If you’re locked out of your Gmail account, click on “Can’t access your account?” at the bottom of the main Gmail sign-in page and on the help page and click the circle beside “My account has been compromised.” Google will ask for secondary e-mail addresses and mobile phone numbers you have supplied previously to validate you are you. If you haven’t provided this information, you’ll be asked to fill out a form with a set of questions designed to verify you are the real Google account owner.
Gmail may show a warning if it suspects your account is being used by someone else and will help you reset your password. And it is increasingly prompting users to provide or update alternate contact information that can speed recovery should you get hacked.
Yahoo Mail users whose accounts have been taken over should visit Yahoo’s help page and click “Security” in the box listing popular Yahoo services. From there, click the “Contact Us” tab at the top and send Yahoo a message using the form at the bottom of the page. An online customer-care agent will help you from there.
If your Facebook account has been hijacked or suspended, visit this help page and submit a report. If the e-mail address tied to your account is in your hands, it will be fairly easy to change your Facebook password and regain your account, Facebook says.
But if your e-mail account has been hacked or your nemesis has changed the e-mail address tied to your Facebook account, you will have to verify your identity by answering certain questions before you can set up a new password and get your account back. (Then avail yourself of new Facebook security features that can help prevent account takeover.)
Twitter users who notice tweets and direct messages from their account that they didn’t send or are following new people they didn’t select should go here and follow the directions to change their password and disconnect from Twitter apps they don’t recognize or trust, which could be the culprits.
If you can’t log in at all, you will need to ask Twitter to send a new password to the e-mail address associated with your account.
Andrew Stephens, of Cirencester in Britain, who is @drhappymac on Twitter, had his account hijacked last week, which was then used to send spammy tweets. Twitter quickly suspended his account, and four days later he got it back. “All in all, I was surprised at just how effective Twitter’s response was. They had my account locked down within minutes and back in my control pretty much as soon as you might reasonably expect,” he says.
If your e-mail address was hacked too, you will need to recover that first and then request a new Twitter password. If you can’t get your e-mail account back or continue to have problems, send Twitter an SOS using this form.
Losing access to accounts like these can be awful. Earlier this month, Jonathan Roniger, a musician in Nashville, was frozen out of Facebook and two e-mail accounts by hackers, who contacted his friends and asked for $1,800, claiming to be destitute in London after getting mugged while on a last-minute vacation. At least one well-meaning friend wired money not once, but twice.
Mr. Roniger wrested control of his Gmail account two days after it was hijacked, only to get locked out again by the hackers. After getting back in, he shut down the account altogether and opened a new one. He still hasn’t regained his Facebook account, which is suspended while he pulls together documents and photos to prove his identity. Mr. Roniger says a well-connected friend got Facebook to lock down the account and “stop the madness,” when he couldn’t figure out how to get it shut down himself. (He could have gone here.)