How did my account get hacked?

You got hacked

If you ever had one of your online accounts hacked, “how did my account get hacked” is usually the first thing that you ask.  The quick answer: There are lots of ways it could have happened.

After getting hacked, people’s first reaction is often to suspect that they have spyware installed on their computers that is recording their keystrokes.  This certainly occurs, but spyware on their own computing devices is usually not the culprit.

There are a variety of mistakes users make that cause their accounts to get hacked:

1. Sharing a password across multiple accounts. This is especially a problem when sharing a password with an important account (email, banking, Facebook, WoW) with an unimportant account.  Every time you share the same password with another website, it sharply increases the risk to all other accounts sharing the same password.

2. Accidentally typing in your email password when logging into a random site. For example, say you are on a random forum website and when you log in, you provide the login name (your email address) and accidentally type in your real email password. Unscrupulous sites may record these login mistakes and can gather a lot of email account passwords this way.

3. Using public Wi-Fi without using proper precautions.  Public Wi-Fi is a big security risk, even if your public Wi-Fi connection is using a password (and yes, even if your public Wi-Fi connection is using WPA-hello DroidSheep).  In order to ensure your security on public Wi-Fi, you need to make sure that the websites that you use are all using SSL all the time (many websites, Facebook for example, does not use SSL all the time. Check out to see how to turn on this full session encryption for Facebook and other accounts) 

4. Storing passwords in your web browser. There are simple hacker programs that allow anybody with physical access to your unlocked computer to get your passwords. A more effective technique is to use a password manager that doesn’t allow access to your passwords any time your computer is unlocked.

5. Weak password recovery questions on your email accounts. Have you checked your account recovery questions? Often these questions are so simple that somebody can just Google/Facebook you to find out the answer to the question that will let them take over your account.

6. Using weak passwords. Hackers use automated password crackers to try lots of possible passwords. These types of hack attacks tend to concentrate first on lists of common passwords, secondly on words from dictionaries, and lastly on performing a full brute force attack on all possible passwords. If your password is under 10 characters or is something that others users might also commonly use for a password, that password is vulnerable. Accounts with weak passwords are often broken because they are low hanging fruit and not because the user or account was specifically targeted. 

7. Using passwords containing personal information from your or your family, or passwords referring to your hobbies, or interests.  Somebody specifically targeting your accounts is likely to try these kind of passwords.

8. Entrusting your password with a third party. For example, giving it to a website that promises to access your email or IM and provide some other services. Of course the primary danger is you are giving you password directly to a hacker. But in many cases even legitimate services store your password without any encryption so they can reuse it later. Note that logging on to other websites using Facebook/Twitter/etc is secure as long as you make sure you are really logging on to a Facebook/Twitter webpage.

9. Typing in your password when using a web proxy. Web proxies are fundamentally insecure because they have access to all your unencrypted communications. If you use a free web proxy, you are playing with fire. If you need to use a tool for anonymity or to bypass blocking/censorship, using a paid VPN (virtual private network) is a much better option.

10. Phishing. Know what this is?   This is when a hacker sends you a bogus email that pretends it comes from a legitimate company and tries to trick you to reveal your password on their website. This is surprisingly effective, so be careful when clicking on links arriving via emails or instant messages.

11. You have used public computers or other untrusted computers to log on to your account. Who knows where spyware could be installed?

12. Using TOR or other anonymity tools that routes your traffic through multiple computers to provide anonymity.  TOR is an awesome tool for anonymity. But be aware that TOR exit nodes have been known play tricks (such as SSLStrip) that can allow them to force traffic to be unencrypted. Be careful when using TOR and make sure you web browser tells you that you are using SSL at all time when you log on to important accounts over TOR!

13. Your email client on your laptop or mobile device is not configured to use encryption and you have been using it on public or other untrusted networks where others can capture the unencrypted password. Email clients using unencrypted connections is not as common as they used to be, but it still does happen!

If you have had your account compromised and you don’t think that any of the above were the root cause, then it is time to take steps to ensure that your computing devices are free from spyware.

To be sure, anytime you get an account hacked, it is a good opportunity to make sure your computer’s anti-virus program is up-to-date and run a full scan.  For good measure, you can run a separate anti-spyware tool.

For a much more detailed look about how to keep your accounts secure, including step-by-step directions showing you how to protect your accounts, please visit