If asked to list all your most sensitive online accounts, chances are you'd mention banking, brokerage, and health accounts. Chances are you wouldn't include your email account. But in this day and age of online hacking and data breaches, your email address just might be the key to your identity, online and offline.
At first glance, it may not be obvious why email addresses are so sensitive. It makes perfect sense to take steps to secure online banking accounts since they are the gateway to real money. Most people wouldn't think their email accounts contain anything interesting beyond gossip about friends and family, and pictures. Sure, you might be embarrassed if some of that were made public, but is it really valuable to thieves? Yes. Cyber-criminals know that email accounts are a veritable gold mine of information, such as passwords to other accounts and other pieces of sensitive – and valuable – data.
Access to other accounts
Email addresses are increasingly the default way we identify ourselves online. Most sites let users register accounts with their email addresses instead of forcing them to create a separate username. If someone gets control of your email account, that person can search through your saved messages and easily figure out what other sites are associated with that address. Examples include online banking, social networking sites such as Facebook and Twitter, and shopping sites such as iTunes and Amazon. Just by seizing your email account, cyber-criminals now have access to every single online service and account you've signed up for using that email address.
Rather than try to brute-force the password, the criminals can just request a password reset by clicking on the "Forgot password" link on the site. The reset emails are usually sent to the email address on record, which means the attackers have no problem changing it to whatever they want. Read that again. Attackers can reset passwords on all of your other accounts, and all they need is your email account to do so.
Worse, if you lose control of your Gmail account, you lose more than just your email address. Your calendar is exposed, which may raise questions about your physical safety if the attackers know where you will be at a given time. And if you have a conference call scheduled on your calendar, these same individuals can conceivably eavesdrop on your conversation, which could have serious implications for your job and your employer. If you store files on Google Drive, those work documents are now exposed. Attackers also can access your online persona, whether it's on Google+, YouTube, or even your blog. With that data, they can easily impersonate you and do incalculable damage to your reputation online.
If you're like many users, you may email password reminders and other sensitive information to yourself. For example, a friend of mine emailed the private key to her Bitcoin wallet to herself and keeps that email saved in her account, as if her email were an online vault. Have you applied for a mortgage in the past few years? If so, chances are good that you had to email scans of all sorts of information to your mortgage company. Are those scans still sitting in your sent mail? That's pure gold to an identity thief. Once the attacker has control over your email, some judicious searching will likely yield a lot of similarly useful and valuable information – even if you're not actually storing your Bitcoin wallet key or your past mortgage applications.
E-commerce sites worth their salt do not include the full credit card number in email receipts. However, recent cases of identity theft (such as the hack that saw Wired writer Mat Honan lose access to all his online accounts two years ago) show that attackers can still do tremendous damage with just the last four digits.
Spammers also want to take over your email account in order to harvest your contacts list to send spam and phishing messages. Your recipients, seeing your name in the From: header, will be more likely to fall for scams, such as the classic one claiming you are stranded in a foreign country and need money wired ASAP.
Secure your accounts
Cloudsweeper is a nifty project from a pair of researchers at the University of Illinois at Chicago. You grant access to your email account – only Gmail accounts at the moment – and the tool scans all the messages to figure out how valuable that account is for cyber-criminals. It looks at what other services send password reset emails or actual password text to the account, as well as what services use the email address for the account username. Cloudsweeper assigns a monetary figure to the data pieces found to determine how much the account is worth in the underground market. Run it against your account: You might be surprised at how much it would be worth to thieves.
There are also a number of software applications that can scan your emails in Outlook, and Mozilla Thunderbird, to see if you have sensitive information that can be valuable to thieves. One great example is Data Discover from Identity Finder. Data Recon from GroundLabs is another good choice if you're worried about a business email account and want to scan for regulatory compliance vulnerabilities, but the starting price is a more business-appropriate £119. If you use an email client to access your email, try out one of these tools to find these pieces of data so that you can either delete them or encrypt them for safe-keeping.
Considering how valuable your email account is, it's critical you make it hard for someone else to break in. Select an extremely strong password – long with lowercase and uppercase letters, numbers, and punctuation. Most importantly, don't use the same password anywhere else. It's safer if you use a password manager to make sure your password is extremely secure.
Be careful about phishing emails and scrutinise every message that ever asks you to log in and verify your information. Having a password manager is actually useful here, since they will generally notice if you are being prompted to enter a password on a phishing site instead of the real site. Or indeed, you should go to the site by manually typing in the URL, and not using a link provided.
If your webmail provider offers two-factor authentication, and most major ones do, enable it. This way, even if attackers steal your password, they can't break in unless they have access to your keychain fob or mobile phone.
Your email address is the key to your identity kingdom. Protect it – today.