Hacker Maintains Email Access After Password Change

Dealing with an email hack. I’ve changed my password, but despite the password change the hacker is still there. I know this because I see changes they’re making inside my email.

In trying to get to the bottom of this and figure out how this is possible, I had a family member assist me in testing some things. We simultaneously logged into my email using Google Chrome from separate remote locations. I then proceeded to change my password. I closed my browser window, reopened it and tried to access my email again. I was prompted to re-authenticate and used my new password to successfully regain access, confirming the change. Once back inside my email, I asked my family member if they still had access. Bear in mind that I had not shared my new password with them, and they had not closed their browser window. They confirmed that they still had access and were able to navigate around to different folders. Wanting to eliminate a cached pages theory, I asked if they could send email. They sent themselves an email (to a non-Comcast email address) from my email and it was delivered, meaning they still had active access despite the password change.

How is this possible? Is this a known security exploit?

What this means is that if someone hacks your email account and uses a web browser (or maybe just Google Chrome) to access your account, as long as they don’t close their browser or end their browser session, they maintain unfettered access to your email despite a password change.

This seems like a MAJOR security issue, and it completely undermines a password reset fix.