My experience of our family e-mail account being hacked

Late on a Monday evening in May 2017, my wife noticed an unfamiliar email in the family inbox - a DPD delivery notification referencing a John Lewis order we could not account for. That small observation was the starting point for a three-day exercise in incident response, support frustration, and a reasonably instructive lesson in how exposed an ordinary household's digital accounts can be.

The discovery

The family email account runs on BT Internet, hosted on the BT Yahoo mail platform, and is not connected to my work devices. When I logged in to investigate the DPD email, the John Lewis account attached to the address had not been used in around four years. Resetting the password and gaining entry revealed three orders placed in someone else's name, two apparently fulfilled and one cancelled. The account showed an address in Newcastle upon Tyne, a mobile number close to mine with the final two digits changed, and a MasterCard I do not own. The earliest fraudulent activity was dated 5 May 2017.

My initial response was to assume the John Lewis account was the point of entry. I reset the password, contacted both John Lewis and MasterCard to report the activity, and called it a night. It felt resolved.

The picture expands

The following afternoon, I logged back in to the BT Yahoo webmail and the original DPD email was gone. Someone was actively managing the compromised account.

BT support was difficult to navigate. The initial responses were circular - suggestions of a server error, assurances that an internal portal showed no signs of compromise, and a suggestion that I had deleted the email myself. After considerable persistence I reached someone who agreed to request a restore of deleted items. Several hours later, the evidence began to materialise: change-of-detail notifications from John Lewis, order confirmations, and - the detail that concerned me most - what appeared to be a list of approximately three thousand individuals with names, addresses, telephone numbers, and in some cases passwords.

Securing the account

At that point the priority was to prevent any further distribution of that data. I called BT and requested an immediate block on the account. The support person confirmed it would take effect straight away. When I tested by attempting to log in, the old password still worked. "You will need to wait four hours" was the revised answer.

During that wait I noticed a separate problem. I had changed a password earlier in the process - but the wrong one. The BT customer identity platform splits across several screens, and I had followed the wrong branch, resetting my BTID password rather than the BT Yahoo mailbox password. Once I identified this and changed the correct credential, I confirmed that Outlook could no longer connect to the account.

The following morning, the account was still accessible via webmail. The 9am call with the BT escalation team concluded that the family account had been caught in a wider BT Yahoo data compromise. We had not been notified at the time, and the address did not appear on any of the standard breach-checking services. The advice during that call - to send any recovered data to an address the support agent initially described as "phishing.com" - turned out to mean phishing@bt.com, but the moment of confusion was not reassuring. Neither MasterCard nor John Lewis followed up at any point.

What this suggests

The incident is a useful case study in how account compromise at one point propagates through connected services that have been left dormant. A few things stand out.

The entry point was almost certainly the BT Yahoo account, likely compromised as part of the wider breach and unchanged for several years. The lesson is not primarily about password hygiene in the abstract but about the specific risk of legacy accounts that remain live and connected to other services even when they are no longer actively used. Most households have at least one version of this.

Reviewing deleted-items folders for unfamiliar activity is a detection method that is easy to overlook. Keeping a record of case reference numbers and what each support agent confirmed becomes material if the situation escalates. Where two-factor authentication is available, the absence of it on the BT Yahoo platform was a meaningful gap - one the platform had not addressed and one I had similarly not pressed on.

The BT support experience also illustrates how difficult it is to navigate a genuine security incident through a general-purpose support function. The default responses - denial, deflection, delay - are calibrated for the majority of callers who have made a simple error. For an actual compromise, they add time and friction at precisely the moment when speed matters.