A passionate programmer’s findings in the world of internet.

Archive for August, 2009

Email Security Issues

Thursday, August 6th, 2009


Photo by Mzelle Biscotte

It all started with an notification on top of my Gmail account, asking me to reconfirm my secondary email account, which is my Yahoo Mail. The notification reminds me of the news of a Twitter employee got his Gmail account hacked:

About a month ago, a hacker was able to access a Twitter employee's personal email account, according to a blog post by Twitter cofounder Biz Stone. Once there, the hacker struck the mother lode: access to the employee's Google Apps account, which contained Docs, Calendars and other Google Apps that Twitter uses for sharing notes, spreadsheets, ideas, financial details and so on.

If you didn't follow the story, the hack happened through Gmail's password recovery procedure, which sends password recovery information to the user's secondary email, which is an expired hotmail account:

At Hotmail, Hacker Croll again attempted the password recovery procedure - making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

In fact, not only Gmail, but all email services has similar recovery process. Most of the time, things like this has to be learned the hard way. All free email accounts expire if you don't log in after some time, approximately 3 months.

Let me continue with my story. So, I believe Google gave that notification to all users to make sure everyone had a valid secondary email account (after somebody got attacked, of course). I thought it might be a good idea to check my Yahoo Mail to see if the account is expired or not.

When I logged on to Yahoo Mail, Yahoo said they found some suspicious activities with my account and forces me to change my password! I changed it.

Then I was brought to my inbox, I was greeted by the name "Heather", and my profile picture shows a girl, a hot babe! All my information in profile was changed!

The first question was how does this "girl" broke into my Yahoo? Why she did not change the password? Does she have any bigger motive after hijacking my Yahoo Mail?

Immediately, I changed the secondary email of my Gmail. Suddenly, I felt the internet is so insecure. Anything could happen overnight.

My advice (conclusion) to everyone:

  • Probably backup is good. Lifehacker has got a good guide on Gmail backup.
  • Strong password is important. Alphanumeric + symbols. Best password is a combination of easy to remember, hard to guess. Using first characters of words in a sentence to create a password seems to be a good way.
  • Avoid using same password across different websites!

Can you afford to lose your main email account? How do you prevent that from happening?