Account hacked – what do I do?

My account has been hacked?

You suspect that the credentials for one of your accounts have been made available to an unauthorized party.

We have informed you that we have detected abuse of the credentials for one of your accounts?

Don't panic

What happens now?

Immediate measures

We
have probably locked access to your account. Login to your account is thus no longer possible. gesperrt. This also affects sending of e-mails. Mail reception is not interupted, however access to your mailbox is no longer possible.

 

Root Cause Rectification

You
need to asses how your password was compromised.
  • Mails that mimic official mails that try to mislead you to enter your account credentials at some (external) website. Common false pretences are
    • "Your account data must be updated"
    • "Your maximum mailbox size has been reached, please click here to automatically increase your mailbox quota"
    • "Some of your mails have been quarantined and you must release them manually"
  • Public computers are not trustworthy. This includes in particular internet cafes and public computers in hotels or conferences.
  • If the root cause cannot not be determined, one of your computers is presumably infected with malware.
You
check your computer for malware. Infected computers need to be checked and cleaned, since any password entered on an infected computer should be immediately assumed to be compromised. Ask for help from your local IT support or from the RZ service desk. In case of doubt the computer should be reinstalled.
  • change the password for the affected account(s).
  • check your inbox rules. Perpetrators are known to configure inbox rules to obfuscate their actions, e.g. by adding a rule to immediately delete all incoming messages.
You
  • If you use the same password for multiple service, assume that it needs to be changed for every service (This is also why you should not re-use the same password for multiple service. Please use a password manager and its function to generating secure, long passwords.)
  • If you stored the password on a device/in a program, the password must be changed on the device/in the program. If you forget to change the saved password somewhere, this might result in an automatic account lock due to multiple unsuccessful login attempts.
  • If you used your email address for university-external services, it is possible that unauthorized actors used the "reset password via email"  function to gain access to such services. Please check that you can still login to such services.

 

Back to normal

We
unlock your account.
You
check if your mailbox contains messages data containing the special categories of third parties (e.g. exam grades, medical data, etc.). In this case an official data breach notification to the data protection authority (Landesaufsichtsbehörde für den Datenschutz (ULD)) might be necessitated. If you think this is true, you should make that notification in cooperation with the data protection officer of the university.
You
inform your communication network. In the past, fragments of stolen mails where used to distribute malware as replies to previous mails.