Sunday, 17 June 2012

I got hacked - don't let it happen to you!

If you are a Grape Vine reader, or have been in the past,  you may have had a couple of dodgy looking emails from me last night. And indeed they were dodgy - if you clicked on the links in them, you will have been taken to a site advertising diet pills and may have had a virus warning when you visited the site.

The emails were not sent by me personally - my Yahoo email account, the one I keep exclusively for Grape Vine use - had been hacked, and they were sent from the hackers, not from me.

Why do people do this? Just so that they can use your account to send their advertising emails to everyone in the hacked person's  address book. They think the people who receive them will believe it is a genuine recommendation from somebody they know, making them more likely to buy the product. But also if you use your email account for Internet banking or correspondence of a highly personal nature, there may be hackers out there trying to get into it for more sinister reasons.

How do they do it? In the case of hacking an email account, simply by finding the user's password. If you have a Linked In account, you may have been affected by the recent mass-hacking, in which even quite complex passwords were found by the hackers. They have all kinds of sophisticated software to help them, but there ARE things you can do to help to prevent it.

So here, in the spirit of shutting the stable door after the horse has bolted, are some tips to help you to make sure your account isn't hacked.

  • Don't click on any links or attachments unless you are 100% certain of where it is going to take you, even if you trust the person it came from. If you were one of the people who did click on the links in the emails my account sent out, keep an eye on your own account and if you find people have received any emails you are not aware of having sent, change your password immediately.
  • Give all your emails a subject line, and encourage your friends to do the same. The hackers very often send emails with no subject, so you will know that anything you receive with no subject should be treated with caution.
  • If you send somebody else a link or an attachment, say a few words about what it is and why you are sending it. Hacked emails often include just the link, or use language that is not typical of the person who it appears to come from.
  • Choose a strong password. The more unusual it is, the harder it is for hackers to guess. Yesterday I was actually planning to write a post about choosing a strong password - today! And yet I am ashamed to say my own password was the name of a family pet. I'll say more about choosing passwords further down the page.
  • Try to avoid typing in your password, by using something that will fill it in for you, like autocomplete or Roboform. It is possible for hackers to use a cookie from a website to place a "keystroke logger" on your computer, which will report back to them the keys you press when typing in your password. The less often you have to type it, the less chance you have of them getting hold of it.
  • Don't let your email address appear on any websites.  There are programmes out there designed to search websites, forums  and blogs, just looking for email addresses, because if they don't know your email address they don't have any starting point for hacking your account. Unfortunately as my Grape Vine address is the way potential new readers contact me, I can't avoid putting mine out there, but most of you can avoid it. Only put your email address  into the correct field of a form, where it is asked for, and never anywhere else.  For instance, if you are commenting on a blog, make sure your email address isn't in the comment box, and never give your full email address on a Facebook wall. If you really can't avoid giving it, write the word AT or [at] instead of the @ symbol. A human being will still be able to understand that it is your email address and be able to contact you. A computer won't.
  • Keep your address book as small as possible so that if you ARE hacked, as few people as possible will get the emails. As soon as I've finished writing this, I'm going to remove as many people as possible, and the old Google update mailing list, from my address book. (I'm afraid the old trick of starting your address book with a fake email address doesn't work - hackers don't work their way through one by one!)
Now on to picking a strong password.  Don't use an easily recognised word, like the name of a family pet (my big mistake). Most sites will ask you for a word between 8 and 10 characters long, and a combination of letters and numbers is safer than one of all letters. For the numbers, avoid things like your date of birth or door number - a hacker with a little information about you would find that helpful.

But you want a password that you won't forget, don't you? If you were to pick a random collection of letters and numbers, it would be VERY safe - so safe that you could well have a "senior moment" and end up locked out of your own account. So here is a suggestion.  Pick a phrase of 6-8 words and base your password  on the first or last letters of those words. Add a number of one, two or three digits that means something to you but can't be easily linked to you by anyone searching for you online.

For instance, on the front cover of Grape Vine there is always the phrase "For those who take their hobby seriously". So I might (but now I've shared it with you, I won't) use the letters ftwtths  and then add a number I could easily remember but isn't ever linked to me online - my Grandmother's door number was 15 so I could have a password that was ftwthhs15  which I would remember but would be just about unguessable, especially to a piece of computer software.  I could change this by putting the digits elsewhere among the letters, or using the last letters of the words, so I have the source of a huge number of new passwords just from that one phrase.

Your phrase could be a line from a favourite song or poem, a quotation from a book or, if you like to write tiebreakers, how about using one of your favourite winning tiebreakers? As long as you will remember it, anything goes!

And if your account DOES get hacked? Change your password straight away, so the hackers can no longer get into your account, then warn anyone who may have received an email from you not to open it. Unfortunately you can't check who messages went to, as they tend not to show up in your sent mail file, so you need to assume they went to everyone you know. Don't let it get you too stressed or upset - one of the things hackers want is to cause you as much trouble as possible. So keep calm and don't let them win!

A final thought - just imagine if the combined genius of the people who work away at creating illegal software, hacking accounts and trying to sell illegal products through them was actually put together to do something good and positive instead - wouldn't the world be a much better place?


  1. I find a good way to find a password is to use the generator that comes with RoboForm. This makes a random set of letters and numbers, with some in capitals too. Though as they are random, they are hard to remember!

    1. I should think the Roboform ones are pretty much uncrackable, but as you say, very hard to remember. If you know you will always have access to Roboform it's a great way to do it.

  2. great advice, and i've been meaning to have a clear out of my email address book for yonks. the phrase is a good idea, i think i'll change my paypal and emails to that. now ive just got to think of a phrase. hmm.


Note: only a member of this blog may post a comment.