Nick Daw's Writing Blog - Inside the writing world of Nick Daws
Receive this blog by e-mail!  Enter your e-mail address:   

Friday, July 11, 2014

How I Accidentally Hacked Into Someone Else's Webmail

Masks by Racchio, on Flickr
Creative Commons Creative Commons Attribution-No Derivative Works 2.0 Generic License   by  Racchio 

I'm off-topic today, but I had a rather bizarre experience I thought I'd share with you. It opened my eyes to what can happen if you're at all careless about entering certain information on websites.

The story begins a couple of months ago, when I got an email from Yahoo confirming that someone had changed the password on my email account. As I hadn't done any such thing, it obviously set alarm bells ringing.

I didn't immediately recognize the Yahoo account in question, but it had my name in it, so I assumed it must be one I had set up a while ago and forgotten about. Clearly I must have created it myself, as Yahoo was sending information about it to my personal Gmail account. It looked as if someone was attempting to hack into this apparently disused account, possibly with a view to stealing my identity.

Yahoo handily included a link for me to change my password, so I followed this and changed it to something different. A confirmation email duly arrived, and I clicked on the link to confirm the change. And that was it, I assumed - security leak fixed.

Then a few weeks later, the same thing happened - a message from Yahoo stating that my password had been changed. Again, I logged in to the account via their link and chose what I assumed would be an even harder password to guess.

A few weeks later, you've guessed it, the same thing happened again. I was getting a bit spooked by now, so I decided I needed to investigate further. So I reset the password again, and this time used the information to log in to "my" Yahoo webmail.

To my surprise I found myself reading the emails of an American guy called Nick Dawson. I must admit I spent a little time reading some of them to reassure myself that he was just an ordinary guy and not engaged in anything nefarious.

I then went to the profile area of the account and the explanation became apparent. In Yahoo (and other web-based email accounts) you are required to provide one or more backup email addresses, so that the company has an alternative way of contacting you. For some reason Mr Dawson had given my Gmail address as his backup email.

Now, I don't know whether this was a typo, or whether he simply picked an email address at random (some of the other entries in his profile suggested a rather flippant attitude to such matters). But the result was that any time he changed his password, an email was sent to me with a link allowing me to change it to something else. No doubt in deepest Illinois (or wherever he was) he was tearing his hair out.

Anyway, I felt I'd wasted enough time on this by now, so I simply deleted my email address from his account and logged off. I haven't heard any more from him or Yahoo, so I'm assuming he hasn't been stupid enough to restore it.

So the moral of this story is, be VERY careful when entering backup email addresses in web-based accounts. Get this wrong, and you could be inviting a total stranger such as me to read your private emails and alter your password and other details. It's just as well for Mr Dawson that I'm not a criminal, or I could have sent compromising emails in his name to his friends and other contacts, and much more besides.
  • Have you had any similarly bizarre experiences online? I'd love to hear about them! Please post them below as usual.

Labels: ,



Blogger Maria Midkiff said...

Thanks for the warning. I've never thought of that and can see how the mistake could be made. I'm going to pass this on to my relatives. Great advice as usual! Thanks Nick.

6:00 PM  
Blogger Nick said...

No problem, Maria. Glad you found it useful.

8:13 PM  
Blogger Lorraine Mace said...

Thanks for the warning, Nick. I'm going to check the back-up email addresses for my various accounts.

8:13 AM  
Blogger Nick said...

No problem, Lorraine. Yes, that's a very sensible precaution.

10:40 AM  

Post a Comment

Links to this post:

Create a Link

<< Home