How Your Email Account Could be the Weakest Link to Your Online Accounts

email weakest link header
Our personal email accounts enable us to send and receive messages instantly with people all around the world. While we primarily use our email accounts for communications purposes, many of us use it to sign up for accounts such as online banking, online shopping, social networks, and even alternative email accounts. But have you considered the possibility that your personal email account could be the weakest link? By “weakest link”, we mean that a compromised email account could potentially result in the accounts connected to it being compromised too. That’s why it’s important to address email security from the get go.

Where the weakness lies
The way you sign into your personal email account is by entering in your username and password then clicking “Sign In”. For some email providers, in the event you somehow can’t access your account because you do not remember your password, you can simply click on “Forgot password” or “I can’t access my account”. From there you’re presented with a security question that you must answer correctly, where upon doing so you’re prompted to create a new password before gaining access into your account. Unfortunately, this is where the weakness lies.

Your email account may be secured by the most complicated and complex password, but that alone is not enough to keep hackers out. Hackers can simply try their luck by clicking on the same “Forgot password” link or “I can’t access my account” as you would if you forgot your password and see if they can guess the answer to your security question. After all, “fluffy” is much easier to guess than “!Am7h3R3a7N8p5ter”.

So, how exactly could a hacker compromising your personal email account lead to your online accounts associated with it being potentially compromised as well?

How your other online accounts could be compromised
Let’s first assume a hacker has gained access to your personal email account. There’s now a good amount of information he might be able to extract from your account. If you’re the type of person who emails yourself the login credentials for your online accounts, then you’ve practically handed the hacker the login credentials for those accounts too. Even if you’re not the type to email yourself login credentials, the online accounts connected to your personal email account could still be compromised.

Let’s use Facebook as an example. Assuming a hacker has gained access to the email account connected with your Facebook account, they could go to Facebook and simply initiate a password reset. Upon entering that email address and clicking on “Continue”, Facebook will ask “How would you like to reset your password?” along with the option to “Email me a link to reset my password”. Though some of the characters in the email address given are masked by the asterisks symbol, it’s quite easy to determine if the email address shown is the same one the hacker has just gained access to.

Facebook password reset

After clicking on “Continue”, Facebook sends a code to the email addressed associated with the Facebook account.

Enter code

Since the hacker already has gained access to your personal email account, they can easily click on “Continue” and simply wait for the password reset email in your inbox.

Facebook password change

After receiving the code from the password reset email from Facebook and entering it into the field, the hacker is prompted to choose a new password. At this point, not only has the hacker gained access to your account, but you’ve also lost access since the password you once used to log in is now only known to the hacker.

Choose new password

How to strengthen the security of your email accounts
Don’t share too much online
Let’s first revisit “fluffy” mentioned above that was used as the answer to your email’s security question. How did the hacker manage to guess “fluffy” as the answer to your security question?

Let’s take a look at a sample list below of security questions you might be presented with. You can see that “What was your first pet’s name?” is listed. In fact, you probably could answer many of these questions listed below for a friend or family member.

List of security questions

One thing a hacker might do is search the Internet for information to aid in guessing the answer to your security question. Social networks such as Facebook and LinkedIn are a goldmine of personal information that could be exploited by someone with malicious intent. If you have a photo of your dog Fluffy on your Facebook page, it’s not a good idea to use “fluffy” as the answer to a security question for any of your online accounts. Or if the answer to your security question is your favorite author, then it’s not a good idea to publically announce on social networks that your favorite author is Tom Clancy. You get the idea.

Enable two-factor authentication for your email accounts
If at all possible, we recommend not relying on security questions as a tool to gain access to your email account in the event you do forget the password to your account. Even if you choose to create your own security question rather than relying on default question that’s provided to you from your email service provider, the fact is the answer to your security question is still guessable. The fact is a security breach associated with your email service provider could result in your email and password being exposed.

Here is where two-factor authentication comes into play.

Two-factor authentication requires an additional factor, such as a passcode sent to your mobile phone, to be entered in before access is allowed to an account. This additional security measure is triggered when a login has been initiated by an unknown browser or device. The beauty of two-factor authentication is that it really doesn’t matter if the hacker got hold of your actual password. Without the additional factor, the code sent to your phone, the hacker simply cannot gain access to your account. Below are links not only to enabling two-factor authentication for your email accounts but also for your Facebook and LinkedIn account.

How to turn on two-factor authentication for your email accounts
How to turn on Login Approvals for Facebook
How to turn on two-step verification for LinkedIn

Although many email service providers are doing away with security questions due to its inherent flaws, some still utilize this feature. With that said, we suggest you to check if they offer two-factor authentication or not. Also, be sure to check with your other online accounts, such as for online banking and credit card, investment and trading, and shopping, to see if they offer two-factor authentication. It may be less convenient for you to have to take an additional step to gain access to your account, but you’ll be glad you did knowing you have another layer of security guarding your online accounts!

Get ZoneAlarm Extreme Security

Get it now

13 comments on “How Your Email Account Could be the Weakest Link to Your Online Accounts

  • As someone who spends time on network security, I can tell you there are NO good security questions. Google it. All the true security sites will say the same thing.

    Strong passwords, 2 factor verification, and any security question that you are sure isn’t answered on any social networking sites help a lot!

  • Considering how many people access accounts using smart phones sending a pass code to your phone doesn’t make sense. If the phone is lost or stolen you have no option left. Better security is to not reveal visible/readable info on any site that would be essential to access an account. Make it more difficult to intercept account information by using encryption. Update the access info from time to time and close accounts that you suspect have been compromised. It is better to create new ones. Don’t rely entirely on memory or other peoples methods. Keep password protected copies of account names, passwords and keys on removable media in safe places known only to you. Erase history that you don’t need for current sessions. The more physical (not logic) obstacles to overcome the less likely your data will be stolen or tampered with by remote control.

    • Very true that you can lose your phone or it can get stolen. However, the point of this blog is to focus on how to protect your email account, so that your other accounts don’t get compromised. Two-factor authentication is one layer of security you can put in place to protect your account.

  • “If at all possible, we recommend not relying on security questions as a tool to gain access to your email account in the event you do forget the password to your account.”

    Good advice, but we users are not the ones who choose to base the system security on security questions. That bad decision is being made by the “security experts” banks and other institutions foolishly decide to trust.

  • ALSO… a lot of websites use an email address as your login – it’s unique, you remember it, they need it anyway, so it works for them. Then they ask for a password. How many of us use the self same password that we use for that email account??? Now, what if a hacker manages to get to your email password? I leave the rest to your imagination. I personally include a few characters to my password that are unique to that account (inc. my email account).

  • This was very interesting, and I will post to my friends, I despise hackers, they are the scum of the bottom of a pond, the punishment for this should be birching them in public. The y really are the filth one stands in. thanks for the info.

  • I would love to have the two factor authentication but when one does not have mobile cover at home and can’t get the SMS, it is impossible. Rural living has some drawbacks.

    • There may be alternative options such as hardware that provides two-factor authentication. We suggest you research on the web to see if any of those devices suit your needs.

  • Two-factor authentication sounds great, until you realize you have given another piece of information – your mobile number – to Facebook, Google, LinkedIn and whoever else, and that they cannot and do not protect this information.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.