Monday, June 14, 2010

In Which My Yahoo Email Gets Hacked

My Yahoo email account got hacked, and Viagra spam was sent to all my contacts. Even the ones who don't need it.

I knew right away, because I am one of my own contacts, so I sent myself spam, plus got some bounced email notices in my inbox. I was able to log into Yahoo with my old password, and changed the password, and the Yahoo password recovery email address.

Then I set about changing all my passwords everywhere online, since the hacked account had my favorite password attached to it, as well as my favorite username. Dumb, dumb, dumb to use same username and password everywhere, I know! BTW, the password was pretty strong, but not super strong. This took 9 hours! I changed usernames where possible, passwords everywhere (using http://strongpasswordgenerator.com/) and linked online accounts to my gmail account, not yahoo email. Read more...


They sent the spam out using the Yahoo web interface, my computer's email client was not involved. I could tell because my yahoo online contacts are different than my computer's email contacts.

A Twitter search reveals that this has been happening to people since around the first of the year, and that there is a rash of recent hacks going on right now. Strangely, Googling the issue reveals nothing of substance: a bunch of utterly lame Yahoo Answers posts appear at the top of organic search. On the second page is this blog post from March 2010, the only post I could find with actual content regarding this problem. On the second page! What's with that?

Yahoo knows enough about search to bury real content about this problem under a pile of fake Yahoo Answers. The comment string to this post, still going strong 3 months later, reveals a stunning lack of concern and blatant stonewalling from Yahoo.

Some responders claim evidence that the problem is with Yahoo servers being hacked. Many report that their Facebook accounts were hacked as well. The spam being sent includes viagra links (I assume, I did not click... the url contained medsonline in it), or some blather about a good price on an iPhone with a link, or something about an online gift-buying site and a link.

I'm on a Mac, so it was not a virus, and I know phishing when I see it. Either something's going on at Yahoo, as others have suggested, or security was compromised at some other site where I use that username and password, and the password thieves took that username and password straight to Yahoo to see if it worked, and of course, it did. They probably would have tried Facebook next, but I beat them to it.

The contents of my online Yahoo inbox were gone, and there was no record of the sent spam in my sent mail, but my old sent mails were still there, as was my online contact list. Others report that their online contact list is gone. Some report that they can see the sent spam in their online sent box. A lot of them report that both their Facebook and Yahoo were hacked, and they suspect Facebook as the source of the breach, however I think Yahoo is breached first and then they try Facebook. A lot of them report that their Yahoo mail is broken into again in a few days, even though they changed the password.

Again, my Yahoo password was the same as my Facebook password, as well as for a LOT of other sites I'm on, which again, IS DUMB! My Facebook was not hacked, though, it definitely started with Yahoo. No other accounts appear to be compromised, but then, I was quick to respond to the initial email hack.

I will be closing my Yahoo account soon. Their non-responsiveness to this is inexcusable, whether their server is or is not the source of the hack. They should at least give people steps on how to secure themselves after a hack, but they are obviously more concerned with burying the problem.

Anyway, I can't stress enough using strong passwords, and a different password for every site. And don't use yahoo email addresses for password recovery, if you use yahoo email at all.

Keep a text record of all sites where you are registered, with usernames, passwords, and associated email addresses, and whether or not there is a credit card on file, and print this out as well. I had a list that I was able to work from and it helped immensely.

If you get hacked, do this:

  • First, login to Yahoo and change your password, thus kicking them out long enough for you to work on this
  • Think hard about where else you may have used that same password, and/or username and secure those sites right away by changing passwords.
  • Secure sites in descending order of importance: financial sites first, then Facebook, then anything that may have a live credit card number attached, your other email like hotmail or gmail, then your blogs and social media, and so on down the line.
  • Use http://www.StrongPasswordGenerator.con to create unhackable passwords
  • USE DIFFERENT PASSWORD FOR EVERY SITE. Yes, I am yelling at you. I wish someone had yelled at me!
  • Then, determine what sites are linked to your compromised yahoo email and link them to another email account. Sites use it as your password recovery email address, and someone in control of your Yahoo account can set new passwords and take over your other accounts.
  • What other email address did you give Yahoo as a password recovery email? Thieves now have that info, so you might want to make double sure that email has not been hacked, and is secured with a strong, unique password.
  • Take a look at your Yahoo profile. What information did you give them about yourself? Well, somebody else now has that information. All of it. What secret questions and answers did you give Yahoo for security? They have that, too. Hopefully you use different security questions on every site that asks for one. Think about all that for a minute. Think about identity theft.
  • Now, go back and clean out all your other profiles, deleting any information about yourself that is not required.
  • If your Yahoo email address is also your favorite username, go back and change usernames at sites which allow you to do that.
My list reflects that I wanted to secure critical sites with a new password first, and then go back and fine tune security everywhere. Good luck and hope this helps!
blog comments powered by Disqus