What can hackers do with the private data in your email account?

On 15 December, hundreds of millions of people woke up to the news their Yahoo credentials were in the hands of hackers – and had been for three years. Names, passwords and security questions, all compromised in what is now considered the biggest data breach ever recorded.

Until this point, many people probably didn't consider the consequences of hacking. They may have thought their email was too boring to be targeted, or that the details inside were considered worthless, or perhaps cybercrime was brushed off as something that just happens to other people.

But in the hacking world, information is power. And on the Dark Web, where this data often ends up, trading this information can be lucrative. But what exactly happens after your email account is hijacked? How exactly is your data exploited? And does it really matter?

Essentially, email is a gateway to your online life and the password is the key. It's the post-box of the digital era and everything you do on the web flows through it. In a 2016 security analysis, Symantec found that despite the rise of instant chat, email remained the dominant form of communication.

A main email account will likely contain data including private conversations, payment invoices, social media messages, partial passwords, calendar appointments, order confirmations, passport scans, e-receipts, mailing list subscriptions and more. Harmless, right? Wrong.

Social Engineering & Phishing

With details including your name, address, calendar appointments and invoices a hacker will be able to easily craft an email that you – or your family/friends – may not realise is a scam. Using your personal information as a foundation, creating convincing emails will be easy.

Often, cybercriminals will pose as a person in a position of authority, including the police, a bank or a boss, and entice you to either hand over more information or click a link that is littered with viruses.

These targeted attacks – known as spearphishing – played a key role in the recent cyber-intrusions against the email accounts of political figures in the US and were used to devastating effect. They remain a key tool in a hackers kit for one reason: they work.

Top tip: Check sender, check URLs and never click on suspicious links.

Other accounts can be targeted

If the multitude of breaches in 2016 taught us anything it's that people are still not using strong passwords to secure online accounts. Worse still, these passwords are still be re-used to sign up for new online profiles and services – even years later.

If you are someone who has only had one main password for years you are at high risk of compromise. In 2016, a slew of celebrity Twitter accounts – from Facebook CEO Mark Zuckerberg to singer Katy Perry – were hacked using this technique.

Top Tip: Using multi-factor authentication will add an extra layer of security.

Access your social media profiles

Social networking is now a major part of everyday life. Tweets, Facebook posts, Instagram posts are now routine for millions of people. One thing these have in common is that they all link back to an email account. Not only records of the posts, but the password authentication request.

This will give a hacker more personal data about your real-time whereabouts, messages, pictures, videos and contact lists. Using the chat application, it will then allow them to post to your friends and family and spread further scams and malware.

Additionally, any of the email-linked accounts that offer a "request password change" feature will mean it will only take two minutes for a cybercriminal to lock you out of your own digital world.

Top Tip: Consider using a different email account for each social media profile

Access to financial information and records

Chances are high there will be some form of financial information residing inside your email account – be it bank statements, receipts, tax return scans, work invoices or even documents containing – in clear text – your passwords or answers to security questions.

Of course, modern banking now offers a good degree of safety and authentication. However, human error is still a massive problem in organisations and any hacker with access to your account number, sort code and personal data like name and address poses a clear risk to your bank balance.

Top Tip: Ensure strong passwords and check transaction records for suspicious activity

The threat of blackmail

The rise of cloud storage, a saviour for those with minimal storage on smartphones or laptops, has coincided with the rise of leaked pictures some would rather keep private. Websites like Dropbox, iCloud and Google Drive back up automatically and can contain photos, files, videos and documents.

If two-factor authentication is not deployed, a hacker with access to your email may also be able to compromise your cloud storage. As reported earlier this year, four men recently took their own lives after being blackmailed in an online "sextortion" cybercrime scam and a slew of high-profile celebrities have also fallen victim to hacked cloud accounts.

Top Tip: Be careful how your devices automatically back up to the cloud

Sell everything

Of course, when it comes to stolen data, all roads lead to the Dark Web. On these underground forums, used to trade in drugs, malware exploits and hacked personal information, credentials are cheap and plentiful. Sometimes the data is old, but nearly always exploitable in some way.

Nevertheless, it continues to sell. This year, major technology websites like LinkedIn, Twitter, Tumblr and Yahoo have all hit the headlines after batches of their user data ended up for sale. Meanwhile, personal logins for Netflix and iTunes account regularly sell for under £5 – staying cheap because of the sheer amount of them available.

Huge batches of information, however, are far more valuable to keen hackers and a list of hacked email accounts still plays a central role in the thriving underground spam industry.

Top Tip: Always use unique passwords for every account, if one gets stolen it will limit the damage