Q: What should I do if my MIT Kerberos account is compromised?
- My MIT email account got hacked and all the emails in my inbox got deleted!! Is there any way that they can be restored?
- My MIT email account got hacked - I'm getting a lot of bounce messages from people I never emailed!
- My MIT email account got hacked and all new email sent to me is automatically deleted! What should I do?
- My MIT email is compromised and a spammer is controlling it! What should I do?
- I got an email that told me to click on a link and type in my MIT username and password, and I did. Was that a bad idea?
- I'm getting a lot of Duo requests that I didn't initiate, what does that mean?
Answer
Change your password
First, change your kerberos password.
Don't re-use your old password anywhere, ever. Use a password manager, like LastPass to generate strong, unique passwords for each account. Attackers buy and sell lists of breached passwords, and will use them to try to break in to other accounts you may have.
Check your Duo factors
Make sure that the attackers did not add an addition phone number to your Duo profile.
Check your mail forwarding settings
Make sure that your email is not split or forwarded to an email address that isn't yours.
Check for any new lists that may have been created
Visit WebMoira to view lists you can administer and lists you belong to
Remove unwanted inbox rules
Commonly, the hacker logs into your email account through Outlook on the Web and sets custom options to make sending spam easy. To clean up, you need to find and undo these options.
- Start by logging into Outlook on the Web.
- Use the gear button Mail > Compose and Reply.
- Under "Settings", check to see if the spammer put a (spam) signature on your email.
- If you find a strange signature, remove it.
- Under "Rules", check to see if the spammer added an inbox rule to your account that might automatically delete all incoming mail.
- Look for rules you didn't create, especially where the action is "delete" or "forward".
- Look for rules with strange names like "." or ".." or a common phrase that may be trying to hide their presence among legitimate rules.
- If you find strange Inbox rules, use the trash icon to remove the rules.
- Review your other options for anything else out of place.
- Under "Settings", check to see if the spammer put a (spam) signature on your email.
Try to recover deleted items
Messages that are deleted can sometimes be recovered. Check your deleted items to see if any wanted items are there and can be recovered.
Check for applications using Microsoft 365 credentials
Some applications may perform modern authentication through Azure Active Directory. Check for unauthorized access.
- Go to https://portal.azure.com
- Choose Azure Active Directory from the menu
- Click View profile under your username in "My feed"
- Choose Applications from the menu
- Click each application in the list, view granted permissions and remove any unrecognized permissions or applications. You may remove the entire application with the "Remove" X at the top left.
Install security software
Install Sophos Anti-Virus and CrowdStrike Falcon. Sophos protects your computer against known viruses, worms, and malware. CrowdStrike provides advanced protection against emerging threats, using machine learning to detect patterns commonly seen in attacks.
Additional comments
Note that even after you change your password, your account might keep sending spam for a couple more hours, if the spammer is already logged into your email.
Even after your account stops sending spam, you can continue to receive mail error "bounce" messages for about a week afterwards.
Contact MIT's Help Desk if you want assistance with mail cleanup steps.
For Staff
See also
[Kerberos account compromised (OLD)]