Something was definitely wrong when Elizabeth Dinnerstein of Scottsdale signed into her Cox email account late last month.

In addition to her own mail, she saw the email accounts of nine other people — strangers — and she could open and read their messages. All of them.

She called Cox, and a customer-service representative told her the communications company would look into it.

A week later, when she still had access to the strangers' emails, including bank statements, spam, personal messages, car registration reminders and everything else, she called Cox again.

When they told her again they would look into it — a response she found highly unsatisfactory — she called The Arizona Republic.

"I can see this lady's Chase bank statement!" she told a reporter as she perused the stranger's emails that were mysteriously linked to her account.

Dinnerstein allowed a reporter to view her email and the nine other accounts that were appearing on her account. After Cox tried to address the issue following her second call, all nine still showed up in her account, but messages and content were accessible in only three of them.

In those three accounts were emails containing credit card and investment-account information, mortgage statements, an order history from Amazon.com and a variety of private messages. All of the customers' sent messages and other email documents were accessible.

The curious situation was a new one for Jacob Prosser, a director of technology for Cox in Atlanta.

"Personally, this is the first time I've seen this use case," he said.

Dinnerstein said a customer-service representative told her the company had a backlog of similar complaints to address. But a company representative later said that was a miscommunication, for which Cox apologized, and that no other such cases exist.

"I feel for Ms. Dinnerstein," Cox Vice President of Public and Government Affairs Susan Anable said. "It really is unfortunate what happened with her. We are sorry the communication with her initially wasn't clear, and for that we apologize."

After more than a week, Cox eventually was able to unlink all of the accounts except one, which unlike the others, was an AOL.com account. It is unclear if that email account is still in use.

'This all makes sense now'

Mike Tokle, who retired from law enforcement and lives in California, was one of the customers whose email was compromised and linked to Dinnerstein's account.

Reached at his home by phone, he said Cox did not call him to let him know his information was accessible to a stranger.

He may have received an email though. He hadn't checked. He canceled Cox a month ago, he said, but his email account is active for another two months, a courtesy Cox provides customers.

So even though he has moved to a Gmail account, his Cox account — and all the messages in it — was still out there, accessible to whomever had the password.

He said that around the same time he canceled his Cox service, he began having problems with his Facebook, Amazon and other accounts.

"This all makes sense now," he said when told by a reporter that his email had been compromised.

Dinnerstein also said she had various accounts hacked, predating her recent problem with her email.

How did it happen?

Prosser, the Cox technology official, confirmed the email accounts were linked, but said the issue was not the company's fault, and that the 10 users all had their emails compromised by someone who was able to obtain their passwords.

"Because they had the credentials for other customers, they entered the email address and passwords one by one so it brought the email into their experience as well," Prosser said. "Probably just to make it easier to manage, they had everyone they had compromised in one place."

Prosser could not explain why someone would merge random customers' emails in such a way.

Dinnerstein and two technology experts contacted by The Republic were skeptical.

"A hacker didn't do this," Dinnerstein said. "Why would a hacker do that? So he can go into all these accounts so they are all consolidated? That wouldn't be something they would do. They would link my account silently to their own account. Not link nine others."

Prosser said that like any email provider, Cox customers frequently have their passwords compromised and have intruders access their email.

"We encourage customers to set strong passwords, regularly change them and never share with others," Anable said in an email. "And if consumers encounter suspicious activity, they should contact their account provider directly, like Ms. Dinnerstein did."

Cox doesn't alert law enforcement to such breaches, but will cooperate with any investigation brought to them, she said.

Computer security experts skeptical

Two experts contacted by The Republic to discuss Dinnerstein's situation likewise had never heard of such a case, and both were initially skeptical that it was caused by a hacker, saying it sounded like a problem with Cox and the way it manages credentials.

But Prosser remained adamant that Cox did not inadvertently link the accounts, and they were instead intentionally linked by someone who obtained all 10 customers' passwords.

Ken Colburn, the founder and CEO of Data Doctors Computer Services, a franchised chain of repair centers, said the explanation from Cox was "feasible" but unusual.

"If it was a hacker, it is pretty unsophisticated," Colburn said.

Usually a hacker would try to access consumer data without doing anything to tip off the victim, like consolidating multiple email accounts into one.

Jamie Winterton, director of strategic research at the Global Security Initiative at Arizona State University, agreed.

"It is also not clear to me what the motivation would be for a hacker in this scenario," Winterton said. "For what purpose, right? Obviously Elizabeth was not the one hacking these accounts or she would not call you."

How to prevent getting hacked

Setting aside the question of how the email accounts were linked and why it took more than a week for Cox to unravel the problem, experts say there are steps all consumers should take to avoid their accounts being compromised.

Winterton said that if the accounts actually were compromised by someone who had all 10 passwords, Cox could have prevented the problem by using a two-factor authentication. That's when a user not only must provide a password, but also a second, temporary password that is sent to them via text message or other means.

"A simple check via two-factor authentication should be employed in a situation where so much personal information is at risk for exploitation," Winterton said. "If 2FA had been employed, the victims would've gotten a text message, or an email at another account, asking if they wanted to merge their accounts, and giving them the option to reject it. Certainly under these circumstances, they would’ve said 'no,' and this whole thing would have been avoided."

Colburn simply recommends not using a free email account with a company such as Cox, where the service is ancillary to their cable, internet and phone service.

He says that email programs at companies like Cox are not profit centers, like email is to companies like Google, and as such, they don't get adequate resources.

Colburn said Google's Gmail service is superior in its consumer protections. Consumers who want to use a program like Cox or don't want to give up an old, familiar email address can set up a Gmail account and have their Cox or other account messages forwarded to it, thus enabling all of the protections in the Gmail program.

Doing so still requires a strong password on the old account to prevent intruders.

To help set up and not lose challenging passwords, Winterton recommends using a password manager, a paid service that generates and saves complex passwords for customers, making it much more difficult for anyone to break into their online accounts.

"What we cyber experts told people for a long time was, don't tell anybody your password," she said. "Now we are telling you to tell your passwords to a password manager. It took me a long time (to accept this change), too."

Has your email been hacked? Reach reporter Ryan Randazzo at ryan.randazzo@arizonarepublic.com or 602-444-4331. Follow him on Twitter @UtilityReporter.

Support local journalism. Subscribe to azcentral.com today.