I've been hacked.

[wickham]

My hotmail outlook 2007 email client on a windows 7 pc (not outlook.com) has obviously been hacked. I received a lot of spam this morning and also a huge number of undeliverable notices from microsoft. Most of the undeliverable emails were to addresses from my contact list, but about a third were completely unknown, presumably known only to the hacker.

I've changed my hotmail password (and therefore also my hotmail email password) and done a full scan with malwarebytes which showed no threats.

Have I covered all the boxes? It occurs to me that the hack may have been in the pc itself, or just in the outlook app or in a Hotmail email.

How do I know where the hack was? I thought that AVC a/v system covered emails, but it seems one got through. I did receive an email with an attachment from a friend, perhaps that was infected, but I've deleted it.

[Midsmartin]

It's impossible to know what's gone on without a full investigation. Looking at the full internet headers of the emails bouncing back might help. Is there anything in the 'sent' folder if you log in via webmail? Also check your webmail account for any forwarding that may have been set up.I have seen hacked accounts where spam was sent out, and a forwarder was set up to relay any replies (or the owner's real email) to an external email address.

A few possibilities are:

1) It wasn't you that was hacked, but one of your contacts. Their address book was used, and your email address was spoofed. Just because an email says it was "from" you doesn't mean it was sent from your mailbox. The "from" box can contain any arbitrary text if you can find an email server to send it for you. In this case, there's really nothing you can do about it at all.

2) The next most likely is that someone has guessed your password and accessed your account on the web, or you were persuaded to enter it on a phishing page somewhere. In this case, yes, just change it to a better password.
Consider whether your email messages contain anything important (eg passwords in plain text) that might mean you need to change some other passwords for other things in case they have been read.

3) It's possible your computer has been infected by a password-collecting malware, but to be honest I think this is less likely.

Good passwords should be memorable, but not be a dictionary word, place name etc. Short memorable phrases can be good. Eg, I don't know, "turtleslikebeer". You'd remember it, but it's probably not easily guessed. Although - if you *assume* that a password is a three word phrase, and use a short dictionary of maybe the 1000 commonest words, then maybe a brute force attack might still work.

[wickham]

Thanks for the comments. I'll check tomorrow.

[Infrasonic]

If it was via the attachment then Outlook probably had macros enabled. It's unlikely as macros was switched off by default years ago in Outlook because of the security risks (it was a main attack route for ransomware), but it's worth checking.

If you got a load of bounces then option 1) above would be quite likely as the authentication path (SPF/DKIM/DMARC) would fail as the spoofed from address (yours) wouldn't match the real one of the compromised account.

You can check the email address here to see if it's been leaked in a data breach...https://haveibeenpwned.com/
That doesn't mean the password has been leaked, or that the account has been hacked - just that the address will be on a load of spammers databases, which is a big reason for getting high volumes of spam.

If you save the compromised email address and old password into Chrome browser and then run settings/password/check passwords it will show any compromised log in name/password combinations. I've got an old BT one that shows up but as I don't have a BT account anymore I can't change it and it's not important enough to really worry about.

[wickham]

Although I received some spam this morning, the problem was that my Hotmail account tried to send about 100 emails in a few minutes. Hotmail stopped most and sent me undeliverable notices, but the sending attempts aren't recorded in my sent items folder. I only know who they were sent to from the undeliverable notices.

Only four people from my contacts list have emailed to ask why I sent spam. Most of the undeliverable emails were to email addresses unknown to me.

Hotmail said that I had exceeded my daily allowance of sent emails so I'm expecting to be able to send again tomorrow. I've always been able to receive emails.

I did receive an email early this morning from a neighbour who isn't in my contacts list and it had an attachment which I wasn't surprised to receive and I opened it so I suppose it was this attachment which caused the hack.

I have been pwned in two breaches, but I don't understand what this means. I'll investigate tomorrow.

[Infrasonic]

Although I received some spam this morning, the problem was that my Hotmail account tried to send about 100 emails in a few minutes. Hotmail stopped most and sent me undeliverable notices, but the sending attempts aren't recorded in my sent items folder. I only know who they were sent to from the undeliverable notices.

Only four people from my contacts list have emailed to ask why I sent spam. Most of the undeliverable emails were to email addresses unknown to me.

Hotmail said that I had exceeded my daily allowance of sent emails so I'm expecting to be able to send again tomorrow. I've always been able to receive emails.

I did receive an email early this morning from a neighbour who isn't in my contacts list and it had an attachment which I wasn't surprised to receive and I opened it so I suppose it was this attachment which caused the hack.

I have been pwned in two breaches, but I don't understand what this means. I'll investigate tomorrow.

If you get a positive hit on the HIBP site it means your email address is in the wild following a database leak somewhere ( so it's available on the dark web for spammers to purchase and put onto their databases). It may or may not have included your password and that may or may not have been encrypted (generally they are). The Google Chrome suggestion will give more detail or you could try...https://www.avast.com/hackcheck/ (they'll email you a report with details of the leak and whether your password was included - and encrypted or not).

Plain text password storage isn't unknown but the major operators haven't done it for years, so it's unlikely.
Of course if the password encryption is weak then it's possible sophisticated cyber criminals could break it, in which case an account hack is possible (although again statistically unlikely).

As you've changed the password that should help.

If you can two factor authorisation will increase security as well. Microsoft have their own authenticator mobile app. or you can use a third party one if you prefer.
SMS (text messages) aren't that secure, so avoid that 2FA route if possible.

[Infrasonic]

You might find your email address has been blocklisted for spamming - you can check here...https://mxtoolbox.com/emailhealth
When it comes up with the report go to 'show all tests'.
As long as you get all/mostly green ticks on the full report you should be OK.

[wickham]

A quick early check shows that I can send emails again. It occurs to me that my computer and tablet were probably not involved if it was a hack into the Hotmail account online. My password change should help.

Blacklist 0 errors, 0 warnings
Mail server 0 errors, 3 warnings
Web server 0 errors, 0 warnings
DNS 0 errors, 1 warning

DMARC Quarantine/Reject policy not enabled More Info
mx hotmail.com DMARC Quarantine/Reject policy not enabled More Info
smtp hotmail-com.olc.protection.outlook.com Reverse DNS Resolution - No PTR Record found More Info
dns hotmail.com SOA Serial Number Format is Invalid

I assume that the warnings will disappear given time.

I don't have a mobile phone so two stage authentication isn't possible.

[Infrasonic]

A quick early check shows that I can send emails again. It occurs to me that my computer and tablet were probably not involved if it was a hack into the Hotmail account online. My password change should help.

Blacklist 0 errors, 0 warnings
Mail server 0 errors, 3 warnings
Web server 0 errors, 0 warnings
DNS 0 errors, 1 warning

DMARC Quarantine/Reject policy not enabled More Info
mx hotmail.com DMARC Quarantine/Reject policy not enabled More Info
smtp hotmail-com.olc.protection.outlook.com Reverse DNS Resolution - No PTR Record found More Info
dns hotmail.com SOA Serial Number Format is Invalid

I assume that the warnings will disappear given time.

I don't have a mobile phone so two stage authentication isn't possible.

Those mail server warnings are pretty standard with generic webmail, they are set pretty loose to avoid bouncing or NDR' too much email - if it was your own domain mail or you had exchange (both paid for...) you could change those settings to suit from the admin account if it was a high enough service tier.
If you Google the various terms you'll see what they mean - it does take a while to learn how it all works at the server level, and due to spammers becoming more sophisticated extra layers have been added over the years to compensate - increasing the complexity.

[UncleEbenezer]

My hotmail outlook 2007 email client on a windows 7 pc (not outlook.com) has obviously been hacked. I received a lot of spam this morning and also a huge number of undeliverable notices from microsoft. Most of the undeliverable emails were to addresses from my contact list, but about a third were completely unknown, presumably known only to the hacker.

Um, you might want to google "joe job". That's where a spammer uses your address in the "From" field when sending spam (and technical variants on the same theme). Any mailserver that uses pre-spam-era (i.e. more than 20 year old) protocols to return undelivered mail will then bounce it back to you, and there are enough misconfigured mailservers around that you might get large numbers - in the past I've had tens of thousands before seeing what was going on and (temporarily) deleting the email address in question to stop them.

Such bounce messages wouldn't all come as "undeliverable notices from microsoft", but I wonder if it's possible that hotmail and/or outlook present them to look like that?

A key point is that a "joe job" doesn't mean you've been hacked at all. It's just identity theft at a level as trivial as if I signed this message "Bill Gates".

[AF62]

My hotmail outlook 2007 email client on a windows 7 pc (not outlook.com) has obviously been hacked.

Turn on 2FA if you haven't for your Microsoft (aka Hotmail) account - https://support.microsoft.com/en-us/acc ... b4585e7eb4 and turn it on for any other sites which offer it - https://twofactorauth.org/

[wickham]

As a matter of interest, the link which was apparently sent from my neighbour was to www. back...blazeb2.com/file/ (delete spaces and 3 dots if you dare to open the link). I haven't shown the link's suffix but when I opened it in Chrome by clicking the link I found it was a Word file with insurance details. It wasn't a document that I was expecting from him, but I wasn't surprised that he sent me something.

The link for "B2 Cloud Storage: The Lowest Cost On Demand Storage" is www. back... blaze.com/ or www. back...blaze.com/b2/ and both appear to be a genuine dropbox type website but my link had the b2 before the .com.

I'm beginning to think that this wasn't the cause of my Hotmail problems. However, the email came via another email client I have but the Hotmail problem surfaced just after I opened the link in Chrome, so I'm still not sure whether the problem was due to the Word doc or whether my Hotmail account was accessed by another means. If I remember correctly, OneDrive (ie linked to Hotmail) was shown somewhere on the page with the link or after I opened the link, but I've deleted it now so I can't check.

[xeny]

My hotmail outlook 2007 email client on a windows 7 pc (not outlook.com) has obviously been hacked.

snip

Have I covered all the boxes? It occurs to me that the hack may have been in the pc itself, or just in the outlook app or in a Hotmail email.

How do I know where the hack was? I thought that AVC a/v system covered emails, but it seems one got through. I did receive an email with an attachment from a friend, perhaps that was infected, but I've deleted it.

Is there some reason you're using an out of support OS, with an out of support email client, and then worrying about security?

[wickham]

It may not have been the fault of an old pc, as it was clean and protected. The online Hotmail account may have been hacked.