Wednesday, 2 September 2015

Has Your Email Been HACKED?

Has Your Email Been HACKED

Recent high-profile attacks have again exposed how much hackers love reading your emails, Daniel Booth explains how to find out if you've been a victim

You know a hacking story is big when the BBC leads with it on its news bulletins. That’s what happened on Saturday 8 August when Carphone Warehouse said hackers had accessed the details of 2.4 million customers. Ouch. We know a huge hack when we see it - and so did Huw Edwards.

To its credit, Carphone Warehouse wasn’t slow to admit the hack, and promptly emailed those affected, telling them they should notify their bank and check for any suspicious activity on their account. But other companies have been less responsible when responding to hacks, sometimes hushing it up, or taking months to admit it happened.

This shameful behaviour makes it hard for you to find out if you’ve been a victim. In cases when your email address has been stolen, you would have been using it for months oblivious to the fact that somewhere, probably in Russia or China, a hacker would also have had access to it. That’s a chilling thought.

Find out if you've been hacked


Thankfully, there are ways of checking whether your email has been hacked. The quickest method is to enter your email address into the search box at the website ‘Have I been pwned?’ (HIBP?, https://haveibeenpwned.com). It will then check that email against the published databases of hacks over the past couple of years. If it finds a match, it tells you in which hack your email was nicked.

As you can see in the screenshot above, we were unlucky. An old Hotmail email account of ours was accessed by hackers in the massive attack on Adobe’s customer database in October 2013. Around 153 million accounts were breached, including, it seems, one of ours. Fortunately, we hadn’t used that Hotmail account for about five years, and we used a unique password for it. Hackers would have been able to read some old email newsletters we once subscribed to, but that’s about it.

On the other hand, maybe we were lucky, because none of our other email accounts had been accessed. In total the website checks over 220 million hacked accounts, so it’s quite a relief that only one belonged to us. Still, we wasted no time deleting that Hotmail account by following Microsoft’s instructions at www.snipca.com/17738.

Other hacks over the past few years checked by HIBP? include attacks on Yahoo, Sony, Vodafone, Tesco and Snapchat. Visit the site now if you have an account with any of these companies - and even if you don’t you should bookmark HIBP?, and return to it after every major hack. We predict you’ll be using it several more times before the year is out.

To receive an email notification when you’ve been hacked, click the ‘Notify me when I get pwned’ link.

What about the Ashley Madison hack?


Well, we didn’t want to bring this up, considering its delicate nature. But we can’t ignore it. This hack has become the most notorious of the year - possibly ever.

If you’ve not heard of Ashley Madison (www.ashleymadison.com), then good for you. It’s a ‘dating’ site that encourages people to cheat on their partners (its slogan: ‘Life is short. Have an affair’). It claims to have nearly 40 million “anonymous” members worldwide - except they’re not so anonymous any more after hackers published online the details of millions of members.

The leak appeared to show that 124 UK civil servants, 92 Ministry of Defence staff and 50 police officers are members of the site, as is Michelle Thomson, a newly elected SNP MP. However, she said a hacker had signed into the site using an old email address, and that she had never visited the site.

Thomson’s case highlights the threat of identity theft, and Ashley Madison’s poor security - at one stage the site didn’t even verify email addresses for new user accounts, allowing people to create fake accounts. It’s possible that hackers have created an Ashley Madison account using your stolen email address, although they are more likely to have targeted celebrities, or people in a position of power. Criminals can make big bucks blackmailing those with a reputation to lose.

The hack left Troy Hunt, who runs HIBP?, with a dilemma. If he allowed people to search for emails stolen in the hack, they would see names of others who were Ashley Madison members. Rightly, Hunt has decided to not permit this. Instead, he will email users if they’ve been hacked, explaining his reasons in a blog post (www.snipca.com/17734): “There’s no escaping the human impact of it. The discovery of one’s spouse in the data could have serious consequences”.

Other sites want to tell you if you’ve been hacked, but Ashley Madison isn’t keen. Its legal department forced CheckAshleyMadison (http://checkashleymadison.com) to go offline. It’s worth visiting the site to read the owner’s reaction to this heavy-handed response.

Another way to check whether your email has been hacked is on Pastebin, which is a site for storing text for a certain period. Lists of stolen emails often appear on Pastebin’s Trends page (http://pastebin.com/trends). We weren’t surprised to see a list from the Ashley Madison hack, nor that it had been opened over 93,000 times in just two days. It’s worth clicking the red ‘last 365 days’ link at the top of the page. This will show you the most popular posts from the past 12 months, many of which will be lists of hacked accounts.

Who's behind the hacks?


So, who are the hackers causing such misery and mayhem? Well, we know who’s claiming responsibility for the Ashley Madison attack: a group called the Impact Team. But apart from their rather naff name, little is known about the hackers, except that it appears they formed solely to carry out the attack because there’s no evidence they existed before.

Ashley Madison suspects an inside job. Chief executive Noel Bidderman said: “It was definitely a person here that was not an employee, but certainly had touched our technical services”.

No group has claimed responsibility for the Adobe hack in 2013, though security researchers investigating it say the hackers spoke Russian. They will have been part of a criminal organisation, not ideologically motivated ‘hacktivists’. They wanted to make lots of money, not a statement about world inequality.

In fact, most of the major hacks of the past few years remain unsolved. Nobody knows, for example, who stole the details of 233 million eBay users in 2014. The perpetrators were probably part of a shadowy criminal gang with nothing to gain from being exposed. Unlike the Isis-supporting hackers that graffiti websites and the infamous Anonymous group (read their exploits at www.snipca. com/17740), they’re not seeking publicity.

But the default reaction of security experts after most hacks is to look towards Russia, especially if the attacks seem politically motivated. In 2015 alone Russian gangs, possibly backed by the Kremlin, have been accused of hacking the White House (reading President Obama’s emails), the Pentagon, the German parliament and French TV stations.

It’s even thought that one group of Russian hackers targeted the country’s own Defence Ministry to highlight its shoddy security (www.snipca.com/17741).

Unless you’re planning a surprise bid for the US Presidency, you won’t be targeted by these state-sponsored hackers. You’ve got more to worry about from cyber-gangsters eyeing up your email address and personal info in order to steal your identity. With this information, they will try to commit fraud in your name. Thwart them by checking HIBP? and Pastebin as soon as you read about a substantial hack.


Recover Your Email


All the major webmail services have clear instructions on rescuing your account following a hack, as do ISPs that provide email. Here's where you need to go should the worst happens:

AOL http://mail.security.aol.com
ВТ www.bt.com/help/home/email.html
Gmail www.snipca.com/17727
Outlook (or Hotmail) www.snipca.com/17726
Sky www.snipca.com/17731
TalkTalk www.snipca.com/17736
Virgin Media www.snipca.com/17730
Yahoo www.snipca.com/17728