Monday, June 21, 2010

Yahoo Email Hack Strikes Again

 Update on my Yahoo email: It got hacked again, June 20 around 10pm. I had deleted my contacts after the first hack, so apparently only one spam email was sent, to myself, from myself. I would have gotten some bounce messages like last time otherwise. The spam was for Viagra. I was again able to log in and change the password.

Here's my original blog post for the back story on my Yahoo email hack ordeal.

Interestingly, after the first hack I changed my password to a 14 character mouthful of gravel from There is no way any password program could have cracked that password. Obviously there are security issues at Yahoo. Read more...

FWIW, my friend the programmer says Yahoo as an organization is disintegrating, nobody's minding the store. Yahoo is not serious about security. From word of mouth in my circle and on Twitter, increasing numbers of friends are getting their Yahoo accounts hacked, and there are a variety of spams/scams that occur as a result of the hack.

He says that in hacker world, there is most certainly a known exploit in the Yahoo security system that sociopathic programmers are right now using to generate newer and more sophisticated programs to harvest Yahoo email accounts. They are programming away as we post. More and more spammers/identity thieves/sickos will jump on this bandwagon with various motives and objectives. This will continue to happen until Yahoo fixes the exploit, but we have seen from this thread that Yahoo neither acknowledges nor is really serious about fixing it.

Bottom line, switch to gmail.

Anyway, I still have my Yahoo account open, but it is stripped. No saved emails anywhere, no contacts except for myself (so i can get the spam when I am hacked again). I am leaving it open to receive the large amount of email I still get to that account, and notify people as needed to use another account to contact me. I delete emails as as soon as I get them and then empty the trash. And delete any sent emails as soon as they are sent.

If you want to still keep your Yahoo account open for some reason, here are some precautions:

--Strip the account of your personal info. Real name, address, anything. Birthday. Really poke around in Yahoo. You may be surprised at the information you have given them.

--See what security questions you've given yahoo. Change them to inaccurate answers and write them down somewhere so you don't forget.

--Strip the account of all folders, inbox, sent emails, drafts, everything. You don't want them havng the verification code for your gmail account, or worse.

--Double delete your contacts. Even if deleted, they are still there. Poke around in the contacts pane.

--Did you ever pay Yahoo for anything? Mail Plus? Personals? Pay Flickr Pro through Yahoo? Then you have a Yahoo Wallet. This is bad. Find it and strip it of credit card info.

--Um, you don't have Yahoo Paypal Checkout or Yahoo Express Checkout through My Yahoo, do you? Well, now they do, too.

--What email address did you give Yahoo as your password recovery address? Is that a secure provider? Does that account have a unique, very strong password?

Good luck with your email hack!

Update June 28, 2010:  This September, 2009 article from SC Magazine finally explains the Yahoo email hacks. The timing of the article matches the appearance and escalation of these hacks as determined by Google and Twitter search.