6

I never believed that some one can actually hack an email that easy. If someone hacks an email it means he actually hacked the server and he will gain access to many emails not to mine only. Anyway from time to time I hear someone says that his/her email was hacked, sometimes you even read it in the news where a celebrity complains about his email being hacked.

I think these people lost their passwords or used an easy to guess passwords. I do not think a real hacking is going on.

Am I right? does email hacking as in real hacking happens? or it is just a propaganda made by silly people who uses weak passwords or somehow expose their passwords and then they just blame the hackers? I think they are influenced by the movies where the hacker move elevators and turn traffic lights to green and that stuff.

  • I don't have the statistics available off the top of my head, but the VAST majority of e-mail account compromises are due to keyloggers or social engineering. It doesn't sound as cool to say that one "socially engineered" a password, however, so the term "hack" is used because it's not understood. Programmatic attacks against an e-mail server (or brute-forcing of the password/key) are vanishingly rare compared to engineered attacks. – Jonathan Garber Feb 11 '13 at 13:38
  • A thousand views, and 0 votes.. must be a bad question ;) –  Jul 13 '13 at 01:22
  • Related: [How to react after a personal email account compromise](https://security.stackexchange.com/a/110737/32746). – WhiteWinterWolf Apr 27 '16 at 09:13

3 Answers3

11

Most cases of "email hacking" targeting a single victim are about password theft: the victim's password was harvested with a keylogger (launched by some malware), by exploiting the target's gullibility (so-called "social engineering", such as phishing attempts), or even outright guesswork (no, the name of your dog is not a strong password).

Also, there are many people who talk about "email hacking" because someone sent an email with their own name / address as alleged sender -- they think of it as a highly technical intrusion method, because they don't know how easy it is to spoof the sender's address.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
5

There are six seven main possibilities:

  1. They used an extremely common password, and their account was picked up by a bot. Many bots harvest email lists from the internet and then try two or three common passwords on each. The weakest passwords get guessed, and the accounts are compromised.
  2. They got malware on their machine, e.g. a keylogger, and that malware was used to steal their credentials.
  3. They used the same password and email somewhere else, and that site had its database stolen. This is quite frequent on small-time sites that are often vulnerable to SQL injection, especially when they're not using proper password hashing.
  4. They fell victim to a phishing scam, whereby they entered their username and password into an attacker's fake site and got their credentials stolen.
  5. Their account was directly targeted by an attacker, and they used a dictionary password or something common. This isn't very common these days, since most services have decent lock-out mechanisms for a large number of bad login attempts.
  6. The email provider was hacked. This is probably the least likely.
  7. The site uses secret questions as the only authentication method for forgotten passwords, and someone guessed / found the answers. (thanks to CodesInChaos for this one)

All in all, yes it does happen. Most of the time it's due to bad passwords, password re-use, or malware. Unfortunately there's no easy way to prevent this for most layman users, other than training users to use decent passwords, browse safe, keep software up to date, avoid phishing sites, etc. Good luck with that.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 4
    Or the website was badly designed, and allowed a direct password reset after answering "secret questions" (a misnomer, considering they often ask for public information). – CodesInChaos Feb 11 '13 at 14:14
  • Yeah, having the secret questions guessed is another one. I'll add it to the list. – Polynomial Feb 11 '13 at 14:15
  • 7 is an important one. That's how [Sarah Palin's yahoo email was hacked](http://en.wikipedia.org/wiki/Sarah_Palin_email_hack). You also have to worry about things like your browser remembering your password (without a master password), so anyone walking by your computer can steal all your passwords, or accidentally not using SSL to login once, or using your email address as your login ID and accidentally typing your email password into the login field at `untrustworthysite.com` which then uses your password to get into your emails, ... – dr jimbob Feb 11 '13 at 20:46
1

Several cases can happen. The most common is probably spoofing where the individual gets a virus which reads their address book and then simply creates spoofed e-mails to send to the contact list. There is no need to actually get the e-mail password as it is generally not required to manage to successfully spoof an e-mail message (there are techniques to help prevent this, but many servers don't implement them).

When a large number of e-mails are compromised for one user, it is generally that their username and password or e-mail client were directly attacked to pull the listing of e-mail. If they use a client like Outlook, then the data files can simply be taken without need for the username and password if a virus gets locally installed.

It is possible, however unlikely (not really worth the effort) that an e-mail server could be attacked directly, but, since e-mail is inherently insecure, it is also possible for an attacker to discover certain messages as they are on the wire if they are able to get positioned along the lines of communication used by the servers. This is also a fairly rare case (since it is difficult to target), but is none the less quite possible.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110