Your email actually DID get hacked? You need to change more than just your password

Print Friendly, PDF & Email

Last week we talked about the fact that even though it might appear that your email got hacked, it probably didn’t. In most cases it’s just a spammer using your email as the “From” address. But what about when your email actually DOES get hacked into – meaning some malicious person has gotten into your account and has control of it? What should you do?

email hack


The easiest solution to this problem is also probably the most obvious – take precautions so that it doesn’t happen in the first place. This means having a strong, unique password for your email account. These are some of the most commonly used passwords today, and they are really weak:

weak passwords


A good password is just a series of random numbers, upper and lower case letters, and maybe a character like a dollar sign or pound sign thrown in somewhere. I try to usually make mine 10 or 12 characters in length. The longer the better!

Good passwords:

  • zP#CuY&^Bnt8
  • e7PpW6!m$2vq
  • Rs3*JA5N&PB6

And of course you won’t be able to remember that password, so you will need to have a good password manager program to generate good passwords and keep track of all of them for you. I use LastPass and it works great.

But for today, we’re assuming it’s past the “prevention” point – your email has been compromised. Some scammer or spammer, somewhere in the world, has been able to log in to your personal or business email account. And you need to take action – quickly.

I sometimes see people with this problem, wondering what they should do next. It’s very common to see this question asked on Facebook: “My email has been hacked into. What do I do?” And the one answer offered by all of their friends (none of whom are computer security experts of course) is: “Change your password!”

Yes, you do need to change your password. But that is only part of the solution. Just changing your password does not solve the problem. A lot of people will change their password (and even the new password will be one that is easily guessed and one that they have used on dozens of other accounts). Then they’re surprised to find out that their email gets hacked into again after a short time.

In order to keep your email account safe, you also need to change your security questions.

You know what I’m talking about – the questions that your email provider asks to confirm your identity, that only YOU should know the answer to. Or at least the answers would be ones that some spammer in Russia wouldn’t know about you.

When you log into your email account online, you should see a link to your profile. That’s usually where you go to change your verification questions. In Gmail it looks like this:

email security


The reason you MUST change your security questions is to prevent the same hacker from getting in again. One of the ways to hack into an email account is to click the “Forgot password” link, and answer the security questions. If the questions you chose originally have already been easily answered by a hacker, then they can be easily answered again by the same hacker or even a different one. In a lot of cases, the answers to those security questions can be found just by going through your Facebook page! Hackers just have it too easy these days – we need to make things at least a little difficult for them.

Bonus security: answer the security questions incorrectly

This is a trick some people use as an extra layer of security. You can answer the security questions with answers that are wrong, or even answers that don’t make sense.

Here are some examples of this:

Question: What is your mother’s maiden name?
Answer: September

Question: In what city were you born?
Answer: Peanut butter

Question: What is your favorite sports team?
Answer: Saving Private Ryan

Do you see the power in this? A hacker could guess every sports team name in the world but he would never get it right. Same for the other answers.

Obviously, just like a strong password, you won’t instinctively remember these nonsense answers. So you will need to keep a record of them. This is another great feature of LastPass – there is a whole section for each account where you can store information like this and always have access to it.

In addition to the security questions, you should also have on file:

  • A current phone number (preferably a cell phone that can receive text messages)
  • An alternate email address that you can access

With these, your email provider can send you a text message to confirm your identity, or they can email you a link to change your password if it gets compromised. HOWEVER – just like it’s too late to buy fire insurance when the house is burning down, you need to set up these things in your email account while you still have access to it. Once some lowlife gets in and controls your email account, it could be too late. Because a smart hacker, once in control, will go in and change the security questions to things that YOU won’t know how to answer.

And one final word: if you are desperate and cannot get anything done to restore your account, don’t make the mistake of searching Google for a “tech support” phone number for your free web-based email account. Most of the results that come up in a Google search like that are going to be FAKE tech support – they will want to charge you lots of money to “fix” all of the problems your computer supposedly has, and they still won’t be able to get you into your email account.

listen to my podcast in iTunes

Share this post