In short... never ever ever email someone a password or credit card number.
Background
Anything you send via e-mail is plainly viewable by any mail server that handles the message all along the way. Email was not created with data privacy in mind.
Depending on where the message is sent, its contents can be stored on multiple servers on the message’s way to it’s recipient. Also, emails are stored in various folders in your account and the recipient’s, making your credit card information vulnerable to hackers or someone else who has (or finds) a way to access one of the accounts.
Some mail services like Gmail and Yahoo automatically encrypt the transmissions (https:) between you and their servers, but once it goes to another mail server that does not, your message is back to being in plain view.
If you use Gmail and your recipient uses Gmail, Google keeps your messages encrypted the entire way as it moves from your machine through its various systems and data centers, but it creates another point of exposure.
If your e-mail account ever gets compromised, all of those sensitive messages and attachments would be a treasure trove for a hacker. If you’re going to be realistic about security, it’s much more likely that your account will be compromised than it is to have your message randomly read by a third party.
If a hacker compromises your e-mail account, all he has to do is scan your sent messages for every sensitive document that you’ve ever sent in one place, so that’s another reason to avoid sending sensitive information and documents via e-mail.
If you've already emailed credit card information
If you’ve sent password information over email in the past, search through your sent folder and delete the information permanently. In the future, you can mitigate the risk by using encryption software (free online versions include VeraCrypt and AxCrypt) to scramble the information until the recipient unlocks it with a security password or code. But don’t trust an encryption software without vetting it.
“It is important to understand whether emails are encrypted while on the server or just during transmission, This is something to double-check, or the email content may still be accessed while stored on a server.”
- Shirley Inscoe, senior analyst at Aite Group
Secure Methods
There are other methods you can use to share login information.
Phone call
This is probably the most secure method to transmit login information. Phone the person and read the information aloud to them. The weak point in this method is if the person then writes it down and handles the information inappropriately. For example if they write it on a post-it note and stick it on their monitor or leave it on their desk.
At Skunkworks, if the information is to be stored on-file, the details are entered directly into our internal server which is inaccessible to the outside world. The paper note is then immediately cross-cut shredded.
Fax
If you both still have old-school, non-computerized fax machines, that certainly keeps your information off the unsecured Internet, but be careful with e-mail-based fax services as opposed to telephone line based, because then you’d be right back in the same boat as emailing. If in doubt, use another method.
SMS Text messages
In general, it’s difficult for hackers to access text messages. But as long as a text containing credit card information sits in an inbox or sent folder, it’s exposed. If your phone is stolen, or the phone belonging to the person you sent the information to is compromised, the thief may be able to access the information.
Split transmission methods of partial info.
You may wish to send some of the information required in one fashion, and the rest in another fashion.
eg: A phone call to say
My account login is username@emailaddress.com. I’ll text you the password.
Another option is to include both pieces of information in a self destructing note. It’s important that the note doesn’t state what or where the login is for however.
Skunkworks has created "Secret" for this purpose. "Secret" creates a link that can be visited and read only once before it is destroyed and unreadable.
You could then send an email to say:
My account login is username@emailaddress.com. Here’s a link to the password. https://secret.skunkworks.ca/ehgIy7Vi#GAoJlmt7E