Email Account Compromises: How They Happen and How to Prevent Them

Email account compromises are increasing every year. Once an attacker has access to your email, they have access to everything: password resets for every online account, financial communications, personal conversations, and the ability to impersonate you to your contacts.

How accounts get compromised

1. Credential stuffing

The most common method. Attackers take username/password pairs from data breaches (billions are publicly available) and try them on email providers. If you reused your password from a breached service, they are in.

2. Phishing

A fake login page that looks exactly like Gmail, Outlook, or your company's portal. You enter your credentials, and the attacker captures them. Modern phishing pages even relay your input to the real service in real-time, capturing your 2FA code along with your password. See The Anatomy of a Phishing Email for how to spot them.

3. Malware

Keyloggers and info-stealers installed via malicious email attachments, drive-by downloads, or compromised software. These capture everything you type, including passwords.

4. Session hijacking

Attackers steal your browser session cookies (via malware or man-in-the-middle attacks on public WiFi) and use them to access your account without needing your password at all.

Warning signs

• Unexpected password reset emails for services you did not request
• Sent emails in your outbox that you did not write
• Login notifications from locations or devices you do not recognize
• Contacts telling you they received strange emails from you
• Missing emails (the attacker deleted them to cover tracks)
• Changed account settings (forwarding rules, recovery email, phone number)

The two things that stop almost all compromises

1. Unique passwords (via password manager)

Credential stuffing only works if you reuse passwords. A password manager generates and stores a unique, random password for every account. One breach does not cascade to your other accounts.

2. Two-factor authentication

Even if your password is stolen, 2FA requires a second factor (authenticator app code, hardware key) to log in. This blocks credential stuffing, most phishing, and malware that only captures passwords. Enable 2FA on your Cleanbox account and on your email provider.

Use authenticator apps (Google Authenticator, Authy) or hardware keys (YubiKey). Avoid SMS-based 2FA — SIM swapping attacks can intercept text messages.

What to do if you are compromised

1. Change your password immediately on the compromised account
2. Check for forwarding rules — Attackers often set up silent forwarding to receive copies of your email even after you change the password
3. Review connected apps — Revoke access for any OAuth apps you do not recognize
4. Enable 2FA if not already active
5. Check your activity log for unauthorized actions
6. Alert your contacts that your account was compromised — they may have received phishing from "you"

How aliases help

Aliases do not prevent your email account from being compromised. But they limit the damage. If you use a unique alias per service, an attacker who compromises one service gets an alias that only works for that service — not your real address, not your other accounts, not your email login.