A passionate programmer’s findings in the world of internet.

Email Security Issues

August 6th, 2009


Photo by Mzelle Biscotte

It all started with an notification on top of my Gmail account, asking me to reconfirm my secondary email account, which is my Yahoo Mail. The notification reminds me of the news of a Twitter employee got his Gmail account hacked:

About a month ago, a hacker was able to access a Twitter employee's personal email account, according to a blog post by Twitter cofounder Biz Stone. Once there, the hacker struck the mother lode: access to the employee's Google Apps account, which contained Docs, Calendars and other Google Apps that Twitter uses for sharing notes, spreadsheets, ideas, financial details and so on.

If you didn't follow the story, the hack happened through Gmail's password recovery procedure, which sends password recovery information to the user's secondary email, which is an expired hotmail account:

At Hotmail, Hacker Croll again attempted the password recovery procedure - making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

In fact, not only Gmail, but all email services has similar recovery process. Most of the time, things like this has to be learned the hard way. All free email accounts expire if you don't log in after some time, approximately 3 months.

Let me continue with my story. So, I believe Google gave that notification to all users to make sure everyone had a valid secondary email account (after somebody got attacked, of course). I thought it might be a good idea to check my Yahoo Mail to see if the account is expired or not.

When I logged on to Yahoo Mail, Yahoo said they found some suspicious activities with my account and forces me to change my password! I changed it.

Then I was brought to my inbox, I was greeted by the name "Heather", and my profile picture shows a girl, a hot babe! All my information in profile was changed!

The first question was how does this "girl" broke into my Yahoo? Why she did not change the password? Does she have any bigger motive after hijacking my Yahoo Mail?

Immediately, I changed the secondary email of my Gmail. Suddenly, I felt the internet is so insecure. Anything could happen overnight.

My advice (conclusion) to everyone:

  • Probably backup is good. Lifehacker has got a good guide on Gmail backup.
  • Strong password is important. Alphanumeric + symbols. Best password is a combination of easy to remember, hard to guess. Using first characters of words in a sentence to create a password seems to be a good way.
  • Avoid using same password across different websites!

Can you afford to lose your main email account? How do you prevent that from happening?

If my article helped you solved your problem, consider buy me a beer!

Share this article: del.icio.us | digg it

Tags: , ,

Related posts:

5 Responses

huibee says:


Gmail didnt ask for my secondary account.. I even wonder whether I have one = =
I rarely log in my hotmail..
my yahoo mail, 800+ unread mails, half are spam..

Hmm ya.. password
and maybe those security questions, sometimes they are quite easy to be guessed lor

Felix Leong says:

Reason why you need to keep 2 mail accounts active and make sure that the email used for password recovery is (ideally) the one that came with your ISP.

EngLee says:

@huibee it’s better that you go to your setting and check what’s your secondary email account.

@Felix How secure is the one that came with ISP? The other problem is, do you switch ISP? Do you close your account and reopen with a different name? I’m more comfortable with Yahoo than Streamyx.

Fang-Yin says:

Walao eh, never knew that it’s that insecure.

If you got store my email address in your Yahoo mail, I wonder I may one day receive a mail from you with title like “Check out my bikini photos!”, or “I’ve lost weight with Acai Berry!”…… it’ll be a better laughing stock than FelixLeong Fan Club.

EngLee says:

@Fang-Yin You don’t worry about me sending those emails, you better take care of yourself by checking your secondary email account!