Account Hijacking

Digital First Aid Kit - Account Hijacking

The Digital First Aid Kit

The Digital First Aid Kit aims to provide preliminary support for people facing the most common types of digital threats. The Kit offers a set of self-diagnostic tools for citizen, human rights defenders, bloggers, activists and journalists facing attacks themselves, as well as providing guidelines for digital first responders to assist a person under threat.

Account Hijacking

Are you having a problem accessing an email, social media or web account? Does an account show activity that you do not recognize? There are many things you can do to mitigate this problem.

Start by answering some simple questions:

  • Which service are you having trouble with?
  • Are you the only person who uses the account? Sometimes, multiple people have access to Facebook group pages, Wordpress blogs or email accounts. If multiple people have access to this account, first check that your friends or colleagues haven’t changed permissions.
  • What is the username and the URL of the account?
  • Are you unable to access your account?
  • Can you see someone else using your account?
  • Did you get an alert or have friends/contacts received strange messages from you?
  • What other evidence have you seen of the problem?

First steps to mitigate the problem:

If you still have access to the account

Move to a different computer - one that you consider to be safe or uncompromised. Log in and change the password on your account. Then move to the following steps:

  • Step 1: Stop using this account for the exchange of sensitive information until you better understand the situation.
  • Step 2: If possible, review the connection history/account activity (an available feature for Facebook, Gmail and other email platforms). Check to see if your account was used at a time when you were not online or if your account was accessed from an unfamiliar location or IP address.
  • Step 3: Take a look at the account settings. Have they been changed? For email accounts, check for auto-forwards in email, possible changes to the backup/reset email address of phone numbers, synchronization to different devices, including phones, computers or tablets, permissions to applications or other account permissions.
  • Step 4: Change the passwords for all your other online accounts that are linked to this one. For example, if you are looking at an email account and it is the recovery address for another account, change the password for that account.
  • Step 5: Don’t stop here! Follow the important next steps below

If you no longer have access to the account:

Follow the recovery procedures of the different providers. Note that different services have different ways to reset the password on your account. Some will send you a link to change your password using your recovery email address, while others reset it to your last password. In the reset case it is important to change your password immediately after regaining access to your account. If these steps do not work and your account is being abused, contact one of the organizations listed above for possible support in shutting the account down.

Don’t stop here! Important next steps:

If you suspect that someone else has access to your account, complete the following steps:

  • Step 1: Answer the following questions for yourself: Who might have access to your account (friends, co-workers, spouse, children)? What devices (computer, phone, tablet) have you used to access the account? In what physical locations have you accessed these accounts (home, office, cybercafe, wifi network)?
  • Step 2: Do you use the same password on other accounts? If so, perform the same checks on those accounts. Create new, unique passwords for each one.
  • Step 3: Think about what you use this account for. Does it hold sensitive information? This could include your contacts, information about your location or the content of your messages. If you think this information could put your contacts at risk, inform them that your account has been compromised.
  • Step 4: Repeat the review of the connection history/account activity - at least once a week for a month - to ensure that your account does not continue to show strange activity. If it continues to show strange activity, proceed to the malware section.

Take extra precautions against attackers:

Enable 2-factor authentication on this account, if it is available for the service you use. This is a process that requires you to confirm your identity on an alternate device (usually a mobile phone) when logging into an account. Google, Facebook, Twitter and WordPress support 2-factor authentication.

It should be noted that enabling 2-factor authentication on Google will force you to use custom per-application passwords for applications like Thunderbird, Jitsi, Pidgin and any other application that isn’t connecting via the web interface. These can be set up in the account settings on the web.

Investigate

It is good to understand why your account was hijacked. Who do you think might be interested in targeting you or your organization? Is this threat related to your work? In the section on helpful resources there are links to guides that give you tips and tricks on how to prevent digital emergencies and be proactive in your digital security.

Security in a Box Threat models and Surveillance Self Defense (Surveillance Self Defense is currently in the process of being updated, expected Autumn 2014)

About The Digital First Aid Kit

The Digital First Aid Kit is a collaborative effort of EFF, Global Voices, Hivos & the Digital Defenders Partnership, Front Line Defenders, Internews, Freedom House, Access, Qurium, CIRCL, IWPR, Open Technology Fund and individual security experts who are working in the field of digital security and rapid response. It is a work in progress and if there are things that need to be added, comments or questions regarding any of the sections please go to Github.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.