Why Email is a Key to Your CastleMay 21, 2013 – 6:08 PM
Having control over an email account can be a lot of power, even though most people would probably say they do not care if someone else is reading their private emails. But it’s not always about reading those private emails. Of course there have been quite a few attacks where secrets were revealed by snooping through emails of hacked accounts. The reasons vary from jealous spouses searching for proof of an assumed affair or as serious as corporate espionage in which certain parties are seeking essential information about a critical deal. Other attackers may use the compromised account to send social engineering messages to all contacts stored in the email account posing as the person whose account has been hacked.
Nowadays an email account is much more than just sending and receiving emails. Many free service providers like Microsoft or Google have various additional services attached to email accounts. Having access to these accounts means having access to such things as private photos that were uploaded to the account. There have been a few cases where attackers broke into email accounts and found sensitive pictures, like naked photos, and then blackmailed the owner of the account. While most people are smart enough not to upload such pictures, with the integrated cloud storage that is available with many services now there may be all kinds of files stored in those accounts, such as password files, license files, tax records, passport scans, company documents, and more.
The power of an email can be even larger than this, as its scope is much greater. Many online services use the email address as a user name. Therefore, knowing the email address and the email account password can give the attacker access to many different accounts besides the email provider as many services offer to reset a forgotten password through email, even if the user does not use the same password on different services. Controlling the email account means controlling the password reset emails of other services and therefore giving access to many different services regardless of what password it uses.
Every time there is a data breach and email and passwords are publicly posted, other attackers will take this information and start new attacks with it. The first thing they usually try is to check whether the same password also accesses the email account.