Yahoo accounts under attack
February 12, 2013 3:24 AM   Subscribe

This last month, three of my family/friends had their Yahoo accounts hacked into with all sorts of unpleasantness ensuing. I'd like to save all my important info elsewhere.

I just received a message from a friend's account, saying that she and her family had been robbed in Liverpool, and that they needed money urgently (clearly, this didn't happen). No other info was included (no bank account or anything about how the money was to be sent etc), but all her contacts and all her emails vanished. This is the third time something like this happened during the last month, but I've sporadically seen variations on this for about 2 years (the first one was my dad, but in that case the email included on information on how the money was to be transferred, and he could recuperate his account untouched – kind of like this seems to have gone down).

It seems that this kind of attack on Yahoo accounts is increasing, and I'd like to move my emails out of harm's way. The problem is that I have several thousands of emails (many of which wouldn't be a great loss) and I've no idea how to move the lot in one big chunk elsewhere (maybe to my computer? or an online storage space, if such things even exist?). Is this possible?

Another question, if you have ever come across this - is it possible for my friend to recover her emails/ contacts/ links? Is everything gone for good or just hidden away somewhere? If time is of the essence (as in, if everything is deposited somewhere and then deleted after x period of time, as if in an invisible spam folder), she might still have a chance - the email is only a couple of hours old at most.

Another worry after reading this Askme - what links my Yahoo account to other sites, like ebay, Amazon etc? Is it just because I have used it for buying things on ebay, Amazon and the like? And what can I do about this - change my password on those sites?

One last question (or three) - as far as I know, all of the people who had this problem (cca 10 - 12 all told, including the ones who didn't have their accounts wiped clean) all have Yahoo accounts - is this issue a Yahoo thing, or do people with other providers also experience this? Does it make sense to move email accounts to a different service? Do you have recommendations re. a more reliable and secure provider?

Thanks a lot for your help, and apologies for the urgent tone - we feel slightly panicky about this, a lot of important stuff gone.
posted by miorita to Computers & Internet (19 answers total) 4 users marked this as a favorite
Best answer: Another worry after reading this Askme - what links my Yahoo account to other sites, like ebay, Amazon etc? Is it just because I have used it for buying things on ebay, Amazon and the like? And what can I do about this - change my password on those sites?

The accounts aren't linked directly, but if someone has access to your email, they can request password resets to get sent to your email for any sites you used that email to sign up for.

Set up two factor authentication and your chances of getting hacked become very small, unless they also have your cellphone.

If you still want to go to gmail or something, gmail will automatically import everything when you sign up.
posted by empath at 3:52 AM on February 12, 2013

Best answer: This isn't a Yahoo thing. This is a people pretending crap passwords are good enough because good passwords are inconvenient thing.

There's no need to move your stuff out of Yahoo. Just use a password safe and make sure all the passwords you ever use are long, random and unique.
posted by flabdablet at 3:54 AM on February 12, 2013 [2 favorites]

Best answer: Just because I don't think the previous two comments are explicit enough: your family and friends almost certainly gave away their own passwords. They either entered them into a malicious site, opened up an attachment that installed a keylogger on their computers, or something similar. It's possible that the breach was on yahoo's end, but FAR more likely that they compromised their own accounts. And even if you move to gmail and use 1password or something similar, poor security practices on your part (and theirs!) can still compromise important information.

So it's important for everyone here to understand good passwords and have good habits online, which means "don't open random attachments," "don't click links in emails and then enter your information into the sites you go to," all that stuff.
posted by kavasa at 4:02 AM on February 12, 2013 [4 favorites]

Best answer: Oh, and keep a local backup.
posted by flabdablet at 4:04 AM on February 12, 2013

Best answer: I think there are three points here:

1. Your family have weak passwords. Make them use stronger ones.
2. Your family probably entered their password on somewhere that isn't Yahoo! Educate them.
3. Your family's computers are probably not secure. Secure them. Check them. Virus scan them. Don't let them use an Administrator account.
posted by devnull at 4:12 AM on February 12, 2013

Best answer: And never log into yahoo from their computers, they're probably infested with viruses.
posted by empath at 4:14 AM on February 12, 2013

Best answer: Thunderbird is a reasonable choice if you don't already have a local mail client to use those IMAP settings with.
posted by flabdablet at 4:15 AM on February 12, 2013 [1 favorite]

Best answer: Yahoo has a process for recovering deleted mails if they don't simply show up in the Trash. You will need to act quickly though, because they only keep 48 hours worth of backups.

Gmail has something similar.
posted by flabdablet at 4:24 AM on February 12, 2013 [1 favorite]

Best answer: While this isn't necessarily a yahoo thing, it does seem that yahoo's being heavily targeted (I've had 2 friends get theirs hacked just this week). So you can strengthen you password, but for your own peace of mind you probably want to migrate off it anyhow.
posted by DoubleLune at 6:13 AM on February 12, 2013

Best answer: Yahoo experienced a notable security breach recently. If this was the mechanism used to steal the credentials of the people you know, then yes, it was a "Yahoo thing".
posted by Inspector.Gadget at 7:16 AM on February 12, 2013

Response by poster: Thank you for your answers - I prepared a little "care package" from your info and the links you sent and forwarded it to all my contacts. Will probably also open a gmail account and import all my stuff.

Changed passwords and told everyone to do same - turns out a lot of us did have weak passwords and/or were using the same password across the internet. We've now become a hush-hush spy-squad.

I've also repeated the "don't open links/attachments unless source is very clear" mantra.

My friend wrote to Yahoo to see if anything can be done about this - if she gets a positive answer and manages to recuperate any of her info, I will update here in case other users have a similar problem.

I'm gonna mark everything "best answer" - they all contributed to making today seem more purposeful and less panicky.
posted by miorita at 1:50 PM on February 12, 2013

Inspector.Gadget, if you read the link you'll note that the "Yahoo thing" still requires that the user click a link sent to them in an email. No matter how secure your email provider is, if you're clicking random email links you're still definitely vulnerable.
posted by kavasa at 3:49 PM on February 12, 2013

Best answer: Also worth noting is that the vulnerability in question was based on cross-site scripting, that Yahoo is by no means alone in demonstrating historical vulnerability to cross-site scripting attacks, that they fixed the flaws fairly swiftly, and that choosing to browse with Firefox and NoScript will stop almost all attacks in that class dead in their tracks.

NoScript's primary purpose is to block all JavaScript except that originating from sites explicitly whitelisted by the user. So even without the XSS protection stuff it does as well, NoScript would have stopped the attack against Yahoo, which relied on the user's browser being allowed to run JavaScript code from a fake site that looked like MSNBC but was actually hosted at *
posted by flabdablet at 8:17 PM on February 12, 2013 [1 favorite]

Response by poster: Thanks flabdablet and kavasa - much of the information I took in since I started this Askme goes way over my head, I must admit. Still, after reading Inspecotr.Gadget's link, one of the things which struck the nebulous mass of Yahoo/IT-related info in my head is that cookies, or keeping them stored on my computer, might be helping potential attackers. Is there any good practice re. cookies? Should they be cleaned out regularly? And if yes, where do I find them?

Thanks a lot again, and apologies for the avalanche of supplementary questions.
posted by miorita at 12:40 PM on February 13, 2013

Best answer: The only cookies that could conceivably help an attacker compromise your Yahoo account are the very same session cookies your browser stores in order to keep you logged in. They're automatically deleted when you log out; in fact it's the act of deleting them that does log you out.

The only reason people sometimes like to clean out their accumulated cookies is to get rid of the persistent ones left behind by advertising servers, which those servers can use to keep track of your page views. Deleting those is a privacy thing, not an identify theft prevention thing.

Just about any browser will have some kind of cookie management interface built in under Settings or Preferences or Options.
posted by flabdablet at 4:56 PM on February 13, 2013

Best answer: Just thought I'd pop in again to mention that this morning I got an obvious phishing mail from one of my friends - turns out her Gmail account has just been compromised and abused in pretty much the same way as your friend's Yahoo account, including deletion of all emails and contacts. So thanks for prompting me to go look up Gmail's deletion recovery form - that saved a little time after she called me this afternoon.

One nice feature that Gmail has, which I'm not sure Yahoo also has, is a Recent Activity window that shows you the last few places your Gmail account was used from. That window also includes a "sign out all other sessions" button, letting you lock out any attacker who is logged on at the same time as you (a savvy attacker could also use that to lock you out, of course).

In my friend's case, among all the activity listed from a browser at her Australian IP address were two anomalous entries from a US IP address around 4am, the first one labelled "unknown" and the second labelled "browser".

And for what it's worth, she thought her password was pretty strong because it was based on a Dutch word. So there you go - cracker bots in 2013 are using international dictionaries.

She's downloaded KeePass Portable 1.25 and by now ought to be reading the online help and learning how to use it.
posted by flabdablet at 2:43 AM on February 14, 2013

Best answer: much of the information I took in since I started this Askme goes way over my head, I must admit.

Answering technical questions here is always tough, because the answerers don't generally start out with much of an idea of how much the asker already knows. If there are specific things currently over your head that you'd rather be more informed about, post back and I'll do my best either to explain them or to point you to existing resources that should help.

If the whole idea of using password safe software is currently one of those things, I strongly urge you to start with the KeePass introductory help, then download the portable version 1.25, unzip it to a USB stick and start playing with it. See the links in my previous message.

The basic rule of passwords, in 2013, is that any password that's simple enough for you to remember is too simple to keep you safe online. The only truly good passwords are long (12 characters or more if made of mixed-case letters, numbers and punctuation marks, 16 characters or more if made of single-case letters only), machine-generated at random, not shared across services, and mostly machine-remembered.

The single master password you do need to remember in order to open your own password safe should be strong as well. I use an 18 character sequence of lowercase letters and numbers which I spent twenty minutes, split into four 5-minute sessions over four days, typing over and over until my fingers remembered it without me having to think about it. It's good enough. Here's one for you.
posted by flabdablet at 3:04 AM on February 14, 2013

Response by poster: Dear flabdablet, thank you so much for your answers - so very very kind of you! I'm really touched by your patience re. the whole IT-idiot thing. You've made the e-maze seem so much more manageable. I've now have a password which is more than 20 characters long, and KeePass is on my to-do list for tomorrow.

Good luck to your friend as well.

I wish I could send something good your way through the ether...
posted by miorita at 2:11 PM on February 14, 2013

For the benefit of bystanders: my friend did get her deleted mails and contacts back after I filled in the Gmail vandalism report form for her. So that does work.

Now she's combing through all those mails looking for credit card numbers, bank account numbers, passwords and so forth that might be of use to her attacker for identity theft purposes, with a view to getting those changed with her service providers.

The whole process of dealing with a mail account compromise is a complete pain in the arse. After years in IT support, though, I have come to accept that for most people it's a pain in the arse they need to experience personally before having the motivation to look into the available tools and practices for preventing it.

If only the same were not true of making backups. Sigh.
posted by flabdablet at 7:55 PM on February 15, 2013

« Older Is it Fuzzuary already?   |   Stats: is a set of values within a normal range? Newer »
This thread is closed to new comments.