Is Yahoo
Pwned?
If your yahoo account has been hacked and you
are looking for things to do to fix it you can jump to Here
I am seeing 2+ compromised Yahoo mail accounts per day and have
been for at least the last week. I have also seen massive
discussion on-line about this phenomenon. See: Here, Here, Here, and Here
Clearly Yahoo is having a massive problem. Given the fact that
the accounts being compromised include long dormant accounts it
seems clear that in some way Yahoo is pwned. They have either
lost control of their user/password database which was either in
plain-text or poorly hashed. Or there is some ongoing exploit
against the server that is allowing the bad actors access to the
Yahoo accounts.
Despite all this there has not been word one from Yahoo (other
then re-assurances that they have fixed a known side jacking
attack (stealing a users log-in cookie)).
Yahoo must address this
or face becoming a laughing stock security wise. The proper thing
for them to do would be to force all account holders to reset
their account passwords to long, strong, and hopefully unique passwords. They must also do
all the necessary forensics to figure out what went wrong and
why, and they need to
announce it to the public and
announce what steps were taken to mitigate it.
Their current stance of stony silence is bad for their users, bad
for Yahoo, and bad for business. The only one their current
silence servers it the bad actors that are having a great old
time and will continue to do so until Yahoo takes the necessary
actions to shut them down.
The current problem, as I see it, is that yahoo mail is mostly a
free service and so Yahoo doesn't care much about the pain of
their users. As long as people keep using Yahoo they are happy.
So they will just say "Go change your password... Nothing to see
here". Moving the "Pain point" to the end user.
I need to make it clear to Yahoo, that unless I see clear actions to address this problem
my advice to clients will have to move from mitigation (change
password, lower log-in timeout, activate 2 factor authentication)
to a permanent solution (leave Yahoo).
I must say that I am close to this point. Mostly because Yahoo
seems to be blind to the fact that from a security standpoint
they are clearly bleeding out and letting users suffer possibly
grievous harm. I also have to assume that they are aware of the
problem so it has to be a matter of willful blindness for the
sake of avoiding a black eye.
Well Yahoo, you already have a black eye. And you are starting to
get the stink corporate arrogance (bottom line before end users)
on you.
Until things change I will not suggest anyone sign up for a
Yahoo account. I am going to be actively suggesting people
deactivate and
delete unused Yahoo
accounts. And soon will be suggesting that people who get
compromised move to a secure and responsible provider since (at
the current time) Yahoo clearly doesn't qualify.
If you are currently a
Yahoo user I strongly suggest that you:
Change your Password to
something Long, Strong, and Unique:
Long = 8+ characters
Strong = not a word from
the dictionary, not 123456, not the name of your dog, something
like F33l77!w!
Unique = use it only for
Yahoo.
Drop your sign-in time to
one day (will help prevent side jacking attacks):
If you are able
turn on 2 factor authentication with the second factor being your
cellphone:
This will (should) send a txt message with
an authentication code to your cell phone if you/someone tries to
log in from an IP address that Yahoo hasn't seen before. This
means that even if your password leaks the bad guys will (should)
be stopped.
NB: I
am saying should above because We do not know how the bad actors
are getting access to the yahoo accounts and so there is a chance
that it is a method that would bypass 2 factor authentication. I
still recommend it because I suspect the problem is poor hashes
of weak passwords.
To change these
settings:
- Log In to your Yahoo mail account
- click "Hi, <your
name>" at the top right
- A drop down menu will appear
- Click "Account
Info"
- You will be asked for your password again
- Once you provied your password you'll be on th Account Info
page
- Scroll down to the "Sign-in & Security" section
- Click "Change
Password"
-
- Follow along and change your password to something long
and strong
- Click the "Change Sign-In
Options"
-
- Use the drop down to set your auto log-out to one
day
- If you have a cellphone and a plan that supports free TXT
messages you can
-
- Click "Set-up Second
Sign-in Verification"
-
- Choose cellphone only
- provide your cell #
- wait for the Authentication TXT
- enter the code you were sent to verify it's your
phone
This site by Freemor is licensed under a Creative
Commons Attribution-ShareAlike 2.5 Canada License.
Permissions beyond the scope of this license may be available at
http://freemor.ca/Contact.htm.