I believe my email account has been hacked. I've changed the password but it's still generating draft emails with no recipients and no text in the email body. It generated 2 this morning at 4am after the password was changed. Can anyone please help or advise what to do next?
Solved! Jump to the Best Answer.
To link this topic to your TalkTalk Mail service, in preparation for direct help from TalkTalk support, please check your Community Profile includes in Personal Information (Click here):
Your name, current TalkTalk landline 'phone and alternate number (mobile preferred). Add your full address with postcode (location). Then scroll down to Private notes to add email address(es), notes and references etc and then save changes.
The implication is that a hacker still has control of your mailbox / access to your mailbox. So disconnect all devices that you use to view your emails / sign out of email and then scan your devices and remove viruses, remote access trojans and other malware that could either have control of a device or be capturing passwords so a hacker still has access.
Then change the password once more. I recommend basing a 12 - 15 character password on multi-word, multicase letters and numbers and a symbol.
Just, for the moment, login only to TalkTalk Mail (webmail). Is your mailbox on the TalkTalk Mail platform?
Compose and send the same mailbox a mail message. Check that the message sends without error, is copied into the Sent objects folder and arrives and stays in the Inbox. Mail not reaching the Inbox could mean there's a Filter rule, including Auto forwarding which is a special filter rule, that's diverting, discarding or blocking mail.
Let us know of any error message, or if mail does not arrive in the Inbox or disappears from the Inbox.
Thank you. I've found six rules in the mail forwarding section which I've deleted. 2 were diverting emails to another mail box that were from Amazon, 4 were deleting emails from things like maildeamon, postmaster. I've got screen shots of them all. The email sent correctly, is in the sent folder and arrived in the inbox. The only thing that's worrying me is the draft emails that I haven't written. 2 were written on Monday evening, 5 on Tuesday evening and 2 at 4am this morning. I'm at work at the moment so will have to update personal details tonight. Only thing currently connected to the mail server is my iphone and through webmail on a different pc. Password was changed yesterday afternoon.
Really appreciate the help.
This is classic hijacking of a mailbox to try and hide the activity of obtaining access to your other online logins like Amazon.
So, having deleted Auto forward and unauthorised Filter rules you're well on the way to recovering. Just ensure the Reset Details are yours and haven't been changed to allow the hacker the ability to change the password and lock you out.
If the former email password was used anywhere else or simply was easily cracked then you'll need to review your other online logins. Don't forget, only use a scanned and clean device to change passwords. Changing your email password
You may be able to find out about other online data breaches at www.haveibeenpwned.com
Yes my mail box is on the talk talk platform. It's an "@tiscali.co.uk" one. I've updated my personal details.
If I click on update reset details, nothing happens
You should see a modal window overlaid on the TalkTalk Mail page that gets greyed out.
If you don't see that pop-up window then maybe your browser or add-on(s) are blocking it from appearing. Try running the browser in safe mode / all add-ons or extensions disabled. Or try a different browser.
Thank you, changed to Firefox and the pop up window came up. The recovery details were correct. So I've found the email diverts and cancelled them, changed my password, is there anything else I should do (apart from change all my passwords of course). I'm still not clear how it seems to be sending automatic emails though?
I'm not clear either on how a hacker can be signed in unless it's via one of your devices. In 2014/15 when the first appearance of these 'unfinished drafts' was noted in Yahoo Mail and then gMail it was determined that they were part of a Remote Access Trojan's command and control setup.
The strange drafts appearing even after a mailbox password change has been noted by others so it's a key issue to be investigated further so definitive guidance can be offered.
The session authentication cookies should prevent continued access after a password change. But if a hacker has remote access to a device then it's still possible to view saved passwords and get access to a mailbox.
Let us know if you find anything conclusive from the security scans or other observations.
Hi kazziebear1, Gondola will help you get this sorted. Please let us know how you get on.
Hi again, to confirm, I am only accessing emails at the moment through an iphone and a friends pc that hasn't been involved until now. Therefore I'm not sure what scans can be done. Anyway, password changed twice and still getting draft emails generated, 7 in the last 24 hours, all with no body text, all with no recipients and all with the same subject. I deleted all rules in the filters section, 2 were diverting Amazon emails, they were labelled "." and "..". There were also 4 other rules labelled rule0, rule 1, rule 2 and rule 3. These rules were set to discard emails that contain "postmaster@", "mailer-daemon@", "mail-daemon@" & "Mail Delivery". All 6 rules were deleted on the 3rd September. The rules 0-3 have reappeared today. Could these be genuine system generated filters from Talk Talk or are they more likely the work of a hacker please? The rules to divert Amazon emails have not reappeared. I have deleted these new rules as well for now. Hope you can help.
Just to confirm that TalkTalk do not set up Filter rules to operate within customer mailboxes.
So, the indication is that a hacker still has access to your mailbox and is continuing to make the changes to Filter rules. Could also have changed Auto forward and Reset details so check these out as well.
Scan devices to remove viruses, Remote Access Trojans and other password capturing malware.
Via the TalkTalk Mail sign in and the main Settings menu, please check your Reset Details are correct and available to you.
Sign out all devices and then set about Changing your email password using a 12-15 character multi word password using multicase letters, numbers and a symbol.
There are no connections that I have to email apart from my phone which is running email via the iphone installed app. I have deleted that account. The problem is still happening. I have been told that the emails are being generated from a web based client, the originating clinet is open-xchange-appsuite with the X-Mailer Open-Xchange Mailer v7.8.4-Rev71. I have been advised to ask if there is any way of terminated all connections to my email.
I've also just noticed these three emails in the trash. I've blanked out where my name is.
Open-Xchange Mailer v7.8.4-Rev71 is the TalkTalk Mail platform. It's what would be seen if a hacker was signed in to your mailbox via webmail because the originating client is open-xchange-appsuite.
The key thing is the originating IP address.
Is that also your public IP address? Go to Google search and key in What's my IP. The originating IP address will tell TalkTalk whether that's a hacker accessing via your device / your broadband connection or from their own IP address.
The trash items appear to indicate a date of 22nd of last month.
Now that we know the drafts are originated via webmail you could set TalkTalk Mail for automatic sign out after 5 minutes.
Sign out of webmail using the Sign out icon extreme top right header and then delete the apps.talktalk.co.uk cookies.
The IP address for those mails is 188.8.131.52 Oman telecommunications company. Domain name I184.108.40.206.omantel.net.om.
I changed my password last night on a pc. I had viewed my mails on a friends iPhone previously and was able to view my emails on his phone this morning without the new password but couldn’t compose mail or access settings on his phone until I logged out and back in with the new password.
The originating IP address and webmail sign in is pointing to a compromised password being used to sign in to webmail by a hacker probably in Muscat, Oman.
So as far as the creation of the drafts is concerned that wasn't remote access via your device just a remote login. The system's unique session ID should prevent concurrent webmail sign ins from different IP addresses.
Did you set the Automatic sign out to 5 minutes? You should see a count-down to sign out whenever the webmail has been idle for 5 minutes.
The key thing going forward is to determine that the unauthorised activity has ceased and your password is secure.
I did set up the 5 minute log out. However what I've found is that of course, you can override that every five minutes by pressing cancel at the countdown prompt. What is more concerning is that if you close the window and come back to it on a pc after 15 minutes you still have access. So to retain access, all you have to do is press cancel at each prompt or close the window during periods of inactivity.
The draft emails were generated after password change. This is the same for the reintroduction of the filter rules, again they were done after 2 password changes.
Something doesn't seem that secure to me regarding the webmail platform but then I'm not an IT expert.
With regards the draft emails, are you saying the system has generated those emails as a result of someone trying to log in?
Here's what's listed in the view source of the header of the draft email
From: Kxxxx Mxxxxxx <email@example.com>
Reply-To: Kxxxx Mxxxxxx <firstname.lastname@example.org>
Content-Type: text/html; charset=UTF-8
X-Mailer: Open-Xchange Mailer v7.8.4-Rev71
<p style="font-size: 12pt; font-family: helvetica,arial,sans-serif; color: rgb(51, 51, 51);"><br></p>