How do people get their email accounts hacked?

Where as, I believe, that the person has some sort of maleware, spyware, virus, etc, that led them to getting hacked. Or a wrong click on a pop up by accident, perhaps responding to a spam email by mistake.

Yep.That’s how it happens.

The methods you mention are used to indiscriminately target thousands or millions of people. Someone is going to click the link or open the email attachment. And they are often very convincing – almost everybody falls for it at one time or another.

The very rare and unlikely case where someone guesses a password only happens when one person is actively targeting another.

@jaytkay Weak passwords are subject to dictionary attacks. Unfortunately a great many passwords are weak. Dictionary attacks are a common component of scripts that clueless wankers use to harvest accounts.
With that said, the vectors that you suggest in your answer are even more common methods of gaining unauthorized access.

My buddy was over at my house a few weeks ago and wanted to check his e-mail. We both use gmail. So I logged out of my account and he logged into his. He didn’t think to log out of his. The next time I wanted to check mine it took me to his. At that point I was into his Google account. Make sure you log out and use the “Public Computer” option if the site has one.

Cool, thanks guys. I figured that’s what it was, but he’s convinced he did nothing wrong. I figured it was something to do with spyware, malware, etc. Even if I show him this, as well as information out there suggesting how it happens, he won’t ever believe he was at fault somehow.

Was it hacked, someone sent e-mails out using your friend’s account?
Or was it “spoofed”, someone sent e-mails out from their server but used you friend’s e-mail “Tag” as the sending address.

From what I could tell, it was sent from my friend’s email account.

Has this person changed their password after the “spamming” emails?

If they did and there is still e-mails bing sent from them, it would mean the e-mail account is “spoofed”.

He changed the password, and the spamming of emails has stopped. Yeah, he must have been hacked, not spoofed then.

@RandomMrdan He didn’t do anything wrong. Tight security is a good idea, but it’s still the hackers fault for hacking in. If your apartment gets broken into, is it your fault for having an old lock and no alarm system? Or should the burglar maybe stay the fuck out of houses that don’t belong to them?

@MyNewtBoobs If you know that there is a swarm of automatic machines going around your neighborhood breaking into apartments, then you should make sure your locks will hold. This is more akin to the situation on the Internet.
Sure, it’s still the perpetrator’s fault for unleashing the bots, but you are still responsible to secure your own valuables.

Also, folks, can we not call these people “hackers”? Hackers are creative people who engineer new solutions to problems. The folks at LifeHacker are hackers. RMS is a hacker. I’m a hacker. The people that intrude into other people’s computer systems are not “hackers”. They are criminals and assholes.

If you are worried about bots breaking into your house, and you meet a guy who gives you a free, working lock- do you call the lock inventor a “burglar”?

@MyNewtBoobs I understand your point, but my point is that my friend is wrong about how he got hacked in the first place. He seems to think he did nothing wrong. But the odds are, he did do something wrong, and just didn’t realize it, and won’t admit to that possibility. Instead, he insists that it is just something that happens. And sure, it does happen, and it happens a lot, but my point again is, the person who gets hacked, had to have done something to allow it to happen.

@koanhead I like your scenario. It pretty much reinforces my thoughts. And yeah, these people aren’t “hackers”, they’re just assholes.

@RandomMrdan And my point is, don’t blame the victim. Which you’re still doing. And you don’t actually know he did something “wrong” any more than he knows he didn’t – it’s still anyone’s guess.

@MyNewtBoobs I’m just playing the odds, which are in favor of the person being hacked doing something to cause it. If you had to place money on the cause of a person being hacked, what would you bet it was? My friend just annoyed me when he said he did NOTHING, and refuses to believe he did anything to cause it, which the odds are clearly in favor of.

@MyNewtBoobs @RandomMrdan In network security, it’s more important to do stuff right than it is no not do stuff wrong.
The majority of security vulnerabilities are things the user knows nothing about and can’t directly affect. These are mostly vulnerabilities in the programs the user uses and are fixed by regular updates from the developers. So it’s important to make sure your Windows Update widget runs every day, to make sure your firewall is running and properly configured, that your local users are not sharing accounts or using weak passwords, all the basic best practices that every computer administrator should know and most users ignore.
If you do the right things, you can get away with some wrong things. If you run NoScript in your browser, you can click on the goofy “catch the monkey” ad without worrying about a cross-site scripting attack. You don’t have to know anything about XSS, you just need to know about NoScript. If you configure Outlook to not open binary attachments without scanning them first, then you don’t have to worry about opening attachments. (Or if you are like me, your email client strips out attachments anyway, and your correspondents know not to use them.)
A lot of folks like me spend a lot of time and skull-sweat trying to make security as easy as possible for the end-users.
It’s NOT your fault if some scumbag breaks into your computer. But it is your computer- so it’s your responsibility.
Also, if your computer becomes subject to some bot and tries to DOS my server, guess who gets blacklisted? Guess who I report to SpamCop or the authorities?

Just a little article for those who might have just recently gotten their Gmail accounts hacked.