Whether email accounts can be hacked and how

Received a question asking “whether email accounts can be hacked and how”

Yes, email accounts can be hacked to allow unauthorized persons to access your email account .  Typically, this can be done by several approaches (or a combination of them):

(Update : 6:50 pm May 21 – switched article to headings instead of ordered list)



This is when you are deceived into entering your username and password at a bogus website masquerading as the legitimate site. See “How the Syrian Electronic Army Hacked The Onion” http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/ as an example of a phishing emails used to get user credentials.


Installing malicious software or spyware

Spyware on a computer can monitor keystrokes and eventually obtain your email username and password as you use the computer to access the account.

Spyware is typically installed on your computer by

  • software exploits – surreptitiously by taking advantage of software flaws or vulnerabilities (often the web browser and the addons installed in your web browser) on your computer. Such security flaws allows for software to be installed without your knowledge by visiting a malicious website.
  • bundling such spyware with third party software obtained from unreliable sources
  • deceiving the user to install software via banner ads or by forged emails from one of your friends or organisation you work with, asking you to view/run an attachment.


Social Engineering

Persons use email addresses to sign up for various online services/websites. Most (if not all) services allow for the password to user’s accounts to be reset, in case you have forgotten your password. Because such services use different details about you to verify your identify, information about you gleaned from one service (e.g your birthday posted on Facebook, WHOIS information from your domain name you registered) can be used by an attacker to obtain your password at another service. A Wired editor wrote a detailed article when this happened to him: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/.  Another interesting article : https://medium.com/tech-talk/280c753b1145


Not logging out of your account from a shared or public computer

Not logging out of your account from a shared or public computer means that another person with access to the machine can access your account.


Poor password security practices

Email accounts has been hacked from people “guessing” the answers to the recovery/security question to reset the password. Easy questions like your spouse’s name or favourite pet can be gleaned from information published on social networks.

Other poor security practices include using simple passwords that are easy to guess (eg “password” for the password) and using the same username and password for multiple services. When one service is compromised resulting in their user accounts and password information being stolen or leaked on the Internet, all other services that use the same username and password are at risk.


Password sniffing

Typically many public wifi networks are not encrypted, which means that other devices on the wireless network can eavesdrop and monitor network traffic. This means that if you use your username and password on such a network, your login information can be copied for later use by such other devices.




Any suggestions for this post on how else can email accounts be hacked?