76 thoughts on “The Value of a Hacked Email Account

  1. Tim

    You forgot to add a little espionage/NSA section in the diagram…;-)

    1. CooloutAC

      and Russian, Pakistan, Iran, and Chinese espionage as well….. who have way more of a presence online then the USA does.

        1. loser

          Really? How eloquent of you to purvey your thoughts. I can’t imagine how well you do in real life.

    2. SgSanford

      Except they don’t really need to do any hacking to get your stuff.
      They just logon to the server.

      1. CooloutAC

        Thats actually not true. If your talking about the false reports by Glen Greenwald….the only reporter who has yet to correct his reporting on this.

        In regards to google, yahoo etc… They are not hacking…and they are not directly logging into their servers either. They are asking for the data, and the companies are handing it right over.

        Not to say that the NSA isn’t hacking people….
        But I’m more worried about Timothy Thorn hacking me…lol

        1. Richard Steven Hack

          There is nothing whatever false in Glenn Greenwald’s reports.

          Specifically, the term “direct access” does NOT NECESSARILY mean physical access to the relevant servers on premises OR remote access to those servers via a dedicated connection to the Federal agency. That has been made clear. Such access can be via direct physical access by Federal agents on terminals supplied by the institution, access within the institution by Federal agents accessing subnetted servers (as opposed to primary servers) holding the desired information, or access via deep packet inspection via those companies’ Internet or telecom providers.

          ALL of those means have been reported on in the past at one or more of the companies cited.

          The statements by the Internet companies cited i the press were carefully crafted by lawyers to basically say nothing. The same is true of statements made by the government.

          You don’t build a $1.5 billion data center in Utah and ANOTHER $850 million data center back east just to tap the phones of a few thousand “terrorists” overseas.

          1. CooloutAC

            Most of America is not a computer nerd. Direct Access is a very misleading term. Glen Greenwald knows what words can do and he knew exactly what he was inciting.

            An example is the above poster who thought they were actually logging into verizons servers lmao.

            1. CooloutAC

              it has been made clear? where? the nsa does not have remote access to verizon. This isn’t CHINA.

            2. CooloutAC

              please link some articles describing how the NSA has direct access to terminals at verizon. nonsense.

              Next your gonna tell me china has no control of hong kong, they have freedom of speech and noone spies on the internet. Ya ok…..

              1. Richard Steven Hack

                You apparently have trouble using words or understanding them.

                No where did I say that the NSA has direct terminals into Verizon.

                I said that is one of the POSSIBILITIES for ANY of these companies.

                Try to keep up.

                1. CooloutAC

                  lol. so now its just one of the possiblities. You think they are just gonna ruin verizon and googles bandwith like that? I really do believe they are only getting meta data, and it is coordinated on seperate channels.

                  But Well now you can see how misleading even your words can be. That is what one of the above posters actually believes…and sounded like what you believe too. That is what greenwald implied.

                  Greenwald knew exactly what he was saying to the public….

                  1. annoyed

                    Could you please stop posting? you spew your opinions like they’re gospel truth and seemingly carry on conversations with nobody but yourself. do everyone and mr Krebs a favor and go away.

                    1. CooloutAC

                      Ya np, this is the last blog post i comment on…

                2. voksalna



      2. Steven

        Haha, absolutely correct. Latest events and news coming from Hong Kong confirmed the Conspiracy Theory that Uncle Sam watches all of us, 24/7.

  2. CooloutAC

    Too funny. I see this post right after a cousin messages me on fb saying his email got hacked lol.

    Great Article though Mr. K. I know google uses cell phones to text account activation codes too now. They were the first. I also see some shady sites use this method also. Like the ones that promise you get to keep a free phone or laptop for testing it out. but want you to sign up for other promotions with your credit card. They also ask for the cell number to text to before you even get that far.

    I think maybe all sites might do this just to change passwords in the future. I always say it should be mandatory for gaming sites to keep most undesirables out.

    I just realized to on most email sites now even yahoo….its an option, i almost never put my cell number in though. But maybe i should before a hacker puts his in? lol

    1. CooloutAC

      I mean apparently the professional hacker voksalna says cell phones can’t be spoofed. If thats true i don’t see a better way then.

      1. voksalna

        Trying to troll me into responding by pointing out that you’re putting words into my mouth that I never said? Of course it’s possible.

        Message for 12 June.

    2. CooloutAC

      I’m not sure yahoo is even using it to text codes to though which is why i didn’t bother.

  3. wat

    well, there’s ways around 2 step verification too, or have we forgotten about Eurograbber

    and emails, oh well, if you ever lose anything you just call NSA to recover your lost emails.

    1. CooloutAC

      what about texting codes to cell phones?

  4. ledgetop Distributors

    Would you please post or post the link to the recommended security procedures for banks. I would like to run it by my bank and cannot find the posting on your site.
    Thanks–John Donahoe

  5. ledgetop Distributors

    Would you please repost or post the link for your article on security procedures for banks. I have been unable to retrieve it and wish to run it by my bank.

    Thanks–John Donahoe

    1. CooloutAC

      you can also test your banks website server security….at ssllabs.com If they are not rated A+ tell the bank.

      1. CooloutAC

        but use the url of the site after you login, which is prolly diff.

          1. CooloutAC

            I think to get it a+ has something to do with supporting older browsers are something. I forget. But if your browser is up to date it shouldn’t be a problem.

            1. CooloutAC

              You could send the report to your bank anyways…it might become A+ 🙂

  6. john senchak

    I’ve seen email , paypal and credit card dumps being stored on the same compromised virtual hosting account as phishing scams It always amazes me how people will just give up their information without looking to see if it’s the real legitimate site. If you are foolish enough to just give up your information without any thought of what you’re doing, then why should other people have any sympathy for you if your data gets resold on the black market.

    Don’t get me wrong here, I would rather see internet users be protected but why should other people care, if you are ignorant about internet security and don’t properly protect your personal data at all times.

    P.R.I.S.M Protect Responsibly your Internet Storage of Messages

    1. Madmonkey

      To Mr John Senchak. I understand your frustration and I too used to believe it as well. But after reading Mr Rick Wash’s Folk Model theory I’m a changed person. You see average users have their own concept of computer security and for the most part it is distorted or doesn’t show the full picture. What needs to be understood is that regardless of what knowledgeable security people say, these people will follow their own model of computer security even if it is 99% wrong! (Even if some of their ideas are quite correct but their understanding is wrong)

      The question is how do we change their folk models (if that is even possible) or at least formulate a solution that is both secure and conforms to these models?

      We seem to think average users are stupid. But that is not necessarily correct, they have their own views about what they understand as security which is influenced a lot by the media, maybe we need to influence the media into explaining more to average folk than the usual ‘teen hacks blah blah blah’ story they love to talk about.

      Source: (The Folk Models-Very interesting Read!)

    2. CooloutAC

      So maybe like Hitler… You should mass exterminate all stupid people for a better race? Matter fact why give healthcare to unhealthy people, maybe we should just let them die. Its prolly their fault they don’t excercise.

      Lets blame the user mentality….is barbaric. And it has to end.

      PRISM, does not have direct access to googles or verizon terminals. I doubt they are logging in at will. Its prolly more like an ftp site they are uploading stuff to.

      SHAME on the guardian for implying that.
      show me an article in the past that says anything remotely similar. I don’t even think Verizon was fully cooperating with the government in 2006….when this story was first broke by USA today. But because hackers are such a problem now, I’m sure they are just sending everything over with no questions asked now.

  7. John

    The “bad guys” are the U. S. Government. I am more worried about the U. S. Government than any hackers at this point. The U.S. Government is the best example of a “crime shop”.

    1. BrianKrebs Post author

      Maybe so, but keeping the government out of your communications may be a lot harder than simply securing your email from financially-motivated hackers.

      I wonder how many people who are upset over the extent of the recent revelations of USG snooping are regular users of encryption. My guess would be very few.

      1. AlphaCentauri

        I suspect that for the average person whose emails are basically pretty boring, they are more freaked out at the idea of everything they’ve ever written being saved, long after they have forgotten writing it.

        And maybe years from now being asked things like, “Are you now, or have you ever been, a Tea Party member?”

      2. me

        If they’re only tracking the meta data then encryption doesn’t matter, you still need covert channels and other methods of obfuscation to hide who your talking to, when, from where, etc. (i.e. tor)

    2. Stefan

      Thats like saying you are more afraid of SWAT teams breaking into your house than burglars. And while that may hold some truth it is no reason at all not to protect yourself against burglars.

    3. CooloutAC

      The bad guys to me are anyone we consider bad guys in real life, the internet is just another world enviornment that is in barbarian times.

      besides radical muslim terrorists…

      what about corporations selling your info to ad agencies or other purposes, Email spammers/hijackers, vigilante hackers who are making sure your not a criminal, religious nuts making sure your not a pedophile or possessed by satan…lol. Hackers trying to rob you or steal your identity. Scumbags trying to ruin your pc for fun!(prolly sore loser gamers) drugdealers hiring hackers to make sure your not a cop or snitch. Sexual predators…..other countries like china, russia, pakistan, iran, spying on us for state reasons….etc…..

      These countries actually read our emails more then the gov’t hahaha.

      and if you think you have any tools to encrypt that the gov’t can’t crack your delusional. But protecting yourself from thieves or other spies is totally understandable.

      1. CooloutAC

        Just corporations stealing corporate secrets could hurt our country in the long run. They shipping too many jobs overseas as it is.

  8. John

    That is because encryption is too confusing for the average person. I know more than one person who still cannot figure out how to setup their voice mail for their cell phone or how to retrieve their messages. How much would it cost to have an IT security technician setup ones computer, cell phone, etc, for secure communication to include encrypting files, setting up a VPN, router security, FreeBSD, etc?

    1. Richard Steven Hack

      That’s right. Encrypting email on one’s own end is useless if no one you email TO can support it.

      Email encryption has never taken off and I don’t expect it ever will until it’s massively dumbed down and directly supported by all email platforms.

      Unless it’s automatic and ubiquitous, it’s useless.

      1. BrianKrebs Post author

        I’ll grant you that email encryption isn’t as easy as it should be (it’s not grandma or mom-friendly) but it’s not rocket surgery either.

        I find that simply using stuff like OTR (off the record plugin) for online conversations (XMPP, Jabber, AIM, etc) does wonders for spreading the word about these protections.

        1. CooloutAC

          OTR wow that brings back memories, i used to do that with pidgin years ago. and PGP encryption for when uploading files. I doubt most people would not bother though, and believe it or not most people dont’ care. They are more concerned about their credit card getting stolen.

          I mean maybe this will stop the gov’t from randomly targeting you, which would be strange in the first place. But if you are already targeted by the NSA…I doubt any of this would be a hurdle for them.

        2. voksalna

          I remember sending you a GPG key and you emailed me plaintext. 😉 People take the easiest route by default, not the most secure — even when they know better.

          1. voksalna

            The problem is that anything encrypted will make a person targeted by default. It’s another of the treacherous aspects of ‘if you have nothing to hide…’ — when it gets turned around it becomes ‘only someone with something to hide…’


  9. tjallen

    The encryption keys stored on your computer are unsafe, too.

  10. CooloutAC


    heres a quote from General Alexander. “The great irony is we’re the only ones not spying on the American people,” he quipped.

    almost 60% of the population is ok with these measures, even with all the media propaganda against it. Amazing. Probably because most American people have been victimized or have had a bad experiences online, or know someone who has.

    I’m sure we all figured they were already spying on our emails anyways.

    So i hope this traitor feels like an idiot for exposing something we’ve known about for 7 years. He should of known better and I find it very suspicious. I think like most hackers hes probably a little delusional, the way he embellishes. and I wonder if our enemies didn’t get to him to use as a propaganda tool.

    1. Andrew

      Surprisingly enough it doesn’t appear that Mr. Snowden made a meaningless gesture.

      In the past when issues such as these come to light they have, by the people I’ve known outside the security community, been disregarded as either conspiracy theory or responded to with “if you have nothing to hide …” rhetoric.

      The recent interest in IRS email interception (something I would imagine most readers of security blogs weren’t surprised to hear about), especially since it served as a platform for criticizing the US Admin., was seemingly close-to-home enough for ‘mainstream media’ to champion instead of under-the-rug-sweeping the issue. Although, as you say, people may have known or heard whispers about these programs in the past, him whistle-blowing at this time has made an interesting and notable stir. It could also be affect in the proceedings concerning Mr. Manning, which will set precedent for how whistle-blowing is viewed by courts.

      Why do you refer to him as a hacker, by the way? For being involved in infosec? Then I would imagine your broad judgement of the people in the profession extend those who design and operate the systems in question

    2. Richard Steven Hack

      “this traitor”?

      This is complete BS. Snowden is clearly a patriotic American who understands the proper limits of government better than you rightwing fanatics do.

      Not only does the government have no business doing this under the Constitution, it’s utterly ineffective as a means of combating terrorism as Bruce Schneier and many others have repeatedly pointed out.

      1. CooloutAC

        I’m actually a Democrat. I have no problems with it. They have been doing it for 8 years. Since 9/11 i have not noticed any difference in anybodies life.

        I’ve seen some people affected by it on the news, but nobody I didn’t think deserved it.

        I find it baffling this kid thinks hes exposing something everybody has known for 7 years. Keeps mentioning its for the good of the public, But most of the public is ok with it?!?? BECAUSE NOONE DISREGARDED IT AS CONSPIRACY WE ALREADY ASSUMED IT WAS GOING ON!!!! we needed proof? are you being serious? you didn’t know the gov’t was reading peoples emails and collecting phone records? come on man.

        Hes a contractor.. I don’t even know if I should consider him a Gov’t employee. I can’t believe they give them so much clearance. I think the problem is we are hurting for manpower. And this hacker mentality that hackers dont’ go after other hackers means they either become criminals or go to security firms…etc….noone goes for civil service. It probably pays less too.

        I hope he doesn’t have ideas of working for China now haha. Even Julian Asange was baffled by that choice of countries.

        I really do believe he fled the country for some other reason man and this is all just a cover. I just can’t figure it out it makes absolutely no sense to me at all. He exposed nothing, That should be obvious by now by Americas reaction.

        1. CooloutAC

          and i hope hes just embellishing like most delusional hackers about knowing every single intelligence agent in the country, or being able to listen to any phone convo at the push of a button….lmao…. the kid is sketchy to me.

      2. Robert

        I find it interesting how this issue crosses political boundaries. I’m far right wing and I think he’s a hero.

        Supporters of the spying should go read the writings of Thomas Jefferson as homework.

        1. CooloutAC

          How would you know how Thomas Jefferson would react to this? These are diff times. They had spies back then too. And if you think this is tyranny and a reason for revolution. Why don’t you try living in China and Russia, the countries who are spying on you more then the US Gov’t, and then come back and tell me about how tyrannical our Gov’t is….

          BK is a spy yet you read his blog? You support his blog dont’ you? your confused.

          America needs more of a computer education, or to get informed, more experiences online, and then maybe they would just call it policing instead of spying…

          1. CooloutAC

            actually most of America supports this already….

  11. United?

    What exactly would someone do with a hacked United account? Book flights? Transfer out points? I can’t quite figure out the value in that one.

    1. uyjulian

      Me either… steal credit card information? Book flights with the credit card linked? I don’t know.

      1. BrianKrebs Post author

        Beyond that, awards fraud is a big deal. But more on that in a future post 😉

    2. BrianKrebs Post author

      Sure. I’ve written about services in the underground that are basically full-fledged travel agencies, only they book the hotel, car rental and yes even flights with stolen cards and then charge the buyer about 30 percent of the cost of the charge.


      There isn’t just one of these shops: This is a fairly common service to find.

      1. voksalna

        Brian, while I always understood the possible criminal lure of ‘carding flight tickets’ in the 1990s it seems a bizarre choice today unless people do not know they’re buying things charged on stolen credit cards; with everything the way it is at airports now, it would be hard to say which would be bigger obvious risk — arrested for assumed name, or arrested under own name for travelling with carded tickets.

        I find this one of the more bizarre things that people will do. Don’t they get caught?

        Miles seem more likely for ‘real goods’ to drop addresses — is this a reasonable assessment?

        1. BrianKrebs Post author

          Carding in general is a fairly risky proposition. In this case, I’ve read a large number of the sales threads and almost everyone asks these very questions. Usually the responses come in from repeat customers who say they’ve never been stopped, or if they did get stopped would just play dumb and say they bought the tickets from a web-based travel agency. I recall reading a feedback from a repeat buyer who said that his return ticket was found out to be invalid but that the airline allowed him to continue by merely purchasing another ticket for that leg of the trip.

          1. voksalna

            I wonder if the airlines keep notes on cards used and/or names previously caught for this. I could perhaps see somebody ‘getting away with’ this one time (and that seems to require very ‘steel balls’ to me), but surely repeats are noticed?

  12. Ping

    You forgot: Sometimes lots of logins for pr0n sites 😛

  13. Anwar

    Great article Brian.

    I think this a great illustration of why people should take more care of their email accounts.

    In fact, a technique I highly recommend is creating a separate email account that controls access to your critical online accounts AND is NOT used for anything else.

    No personal emails, not subscriptions, nothing.

    I have one of these accounts, and other then sending verifications for account creations — this email never has outgoing emails.

    This email account require multi-factor auth AND I do not have access to it via any mobile device.

    The thing is, this is much easier than it looks and I rarely get an email to that account. Phishing attacks have not happened yet and it keeps my critical accounts “safer” from attack.

    Just something I have been using for a few years that others may find useful.

  14. facebook password breaker

    My brother suggested I might like this website.
    He was entirely right. This put up truly made my
    day. You cann’t believe simply how much time I had spent for this information! Thank you!

  15. ifindustries

    forgive me if it has been said, but one simple solution may be to pay for an email server (ie godaddy) and set up a catch all email account. then, when signing up for any service, forum etc use some fakename@yourdomain.com. All mail goes in, but should anyone attempt to hack that account they will find it does not exist.

  16. シャネル バッグ 新作


Comments are closed.