I’ve been hacked: two suggestions for email providers

So I’m sitting in Federal Income Tax, minding my own business, when I receive an email from myself. Obviously, I pay close attention in class (we were discussing the consumption of babies) so I certainly hadn’t sent it, but that left only one possibility: my Yahoo! account had been hacked.

I’d been meaning to update all my passwords for a while now — I’ve had this Lifehack tutorial open since the beginning of the semester to prove it — but this turn of events put those plans into overdrive.

I logged into Yahoo!, and my worst fears were quickly confirmed: I had about 50 MAILER-DAEMON error messages in my inbox (Yahoo! is my old account I now use primarily for receiving spam, so a lot of the addresses in it go to other Yahoo! accounts and Hotmail! accounts and AOL! accounts and other obsolete sorts of addresses). Fortunately, changing my password took all of about ten seconds and immediately put an end to the madness [note the time stamps and how the spam stops right when the password changes]:

Yahoo mailer daemons

But I knew the episode would prompt a flood of notifications from friends who had “successfully” received the spam and would helpfully inform me that my account had been hacked.

To forestall that eventuality and save them all the trouble, I went into my contact book and tried to send the following message to everybody in it:

Email got hacked - changed password - sorry before

Unsurprisingly, Yahoo! had meanwhile determined my account had been hacked and wouldn’t let me send the message:

Email got hacked - changed password - sorry after

Here are two suggestions that might make this situation better, presented in the form of questions:

1. If you can stop me from emailing all my contacts because you think my account security has been compromised, couldn’t you also set up an algorithm to block dozens of emails from being sent to groups of five people at a time in the span of a couple of minutes?

No offense, but your hacker alert probably should have gone off a lot earlier.

2. What if there was a button that would send every email address that might have been spammed (contacts + anyone you’ve ever emailed) a notification that you’ve been hacked but that the situation is now under control and there’s no need to email you back or call to let you know?*

*I’ll take this opportunity to thank all the people who emailed or called to let me know I’d been hacked.

Obviously, the system could still be abused by an actual hacker who wanted to discourage your friends from notifying you your account had been hacked, but I’m not too worried. Either a) the email provider could enact an additional safeguard* against the button’s use (like Gmail’s 2-step verification), or b) you could trust the hacker will have little incentive to send a pre-fabricated, unalterable email alerting anyone who received the initial email that the account has been hacked and not to trust anything that comes out of it.

*This solution begs the obvious question why that feature isn’t available to protect the entire account in the first place.

Alternatively, such an email could be automatically sent whenever the account detects it is spamming (using the algorithm described in idea #1, or even just the way Yahoo! manages to detect suspicious activity now), which would at least warn people against opening your email.

These ideas obviously wouldn’t prevent hacking in the first place. But they might save your friends from clicking on some bad links and/or sending you a boatload of warning emails. Sounds worthwhile to me.

And no, this might not be one of my greatest ideas — or frankly, blog posts — of all time, but at least now you know not to open that suspicious-looking link I sent you.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s