Options
Yahoo Mail Accounts currently being hacked
heiker
Posts: 7,029
Forum Member
✭
I know of three Yahoo Mail Accounts that have been hacked in the last couple of days. If you've got a Yahoo Account then change your password to something really complicated.
0
Comments
Just googled "Yahoo Hacking". Looks like this has been going on for months. Checked my Yahoo Login Activity, my hacker based in Thailand.....I've even got the bastard's IP Address :mad:
there is no point having a long complicated password if your security question is what is your favourite colour.
http://forums.digitalspy.co.uk/showthread.php?t=1803444
How do you check for your login activity?
Edit: It's OK I've found it.
Changed the password, but not sure how much damage has been done?
I've changed my password - I assume there is nothing else I can do? I can still receive messages, but Yahoo has blocked my account from sending more for the moment. They say they might block the account for up to 48 hours, so I'll just keep trying.
It would be interesting to know how they are doing it.
I originally had a 7 character noun plus 3 numerics password. However, I'm convinced that they are not working out passwords to gain entry. This is entry via a back door that Yahoo left wide open.
I changed my password straight away & I just clicked on the link above to see where I had been signed in & I was signed in twice in Thailand within a minute on both PC & mobile
Simple passwords would only be an issue if Yahoo allowed unlimited attempts without lock-up, whereas your account locks up for a few hours after the fourth wrong attempt.
Also, as well as a password, they use a captcha code, so that should stop somebody using automatic software?
I was asked for a captcha code before sending it though and it remains to be seen whether I will always have to provide one in future, or whether this was just a one-off to ensure that a human was back in charge.
I'm finding that Windows Live Mail won't log into Yahoo to fetch mail. It just keeps asking for my new password.
Logging into the Yahoo site is fine.
Luckily I only use Yahoo as a secondary email address, and I don't have any contacts for them to send mail to, if I'm hacked again.
I think I'll just abandon it as a bad job.
And to Thine Wonk, I'm not registered to Evernote, or any other service that's been hacked (as far as I know?), and my password reset question is not one that could be easily guessed or found out. So I don't think that's how it's been done?
You say that, but thousands of sites people visit have been hacked, there's every chance you used that Yahoo email address and the same password at a random site that got hacked.
That's why you should:
Use a complex password at least 9 characters long, that means if they get your hashed password from the database of the hacked site it'll take a long time to work out what it was.
Use unique passwords for sites by using a password manager either in your browser to remember it or Lastpass or Keypass.
Consider changing high security passwords like your email account once every 3 months, remember your email is the key to resetting ALL other accounts out there. It needs to be as secure as your online bank or Paypal. These should have at least 9 character passwords, unique and be reset once every 3-6 months.
Password reset answers are a real weakness and you should consider making them more complex. Enable 2 factor auth if available, such as google sending you an SMS code in order to reset your password - they offer this.
Gone are the days of 'apples21' being acceptable. They'll find a vulnerable site, sql inject or extract the database contents, in some cases they'll need to rainbow table the passwords to work out what they were and this can take time. They will then sort the accounts into their associated webmail services, script to test which work and which don't and then sell the working ones.
If you're lucky it'll just get used for spam, if you're very unlucky somebody will search the email to find what services you use, steam, google play etc reset the passwords for those and then sell those credentials. Play accounts go for £100, so you can see why they are motivated to do all this work.
I don't understand any of that.
But I think the key is for the likes of Yahoo to be less vulnerable to this sort of stuff or people will just abandon using them. :mad: