Loading ...
Sorry, an error occurred while loading the content.

Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo???s Mail users continue reporting hacking incidents - The Next Web

Expand Messages
  • lena_kiev
    ... Read the comments to that article, there is talk about cracked Gmail accounts too. I saw AOL and Hotmail/MSN/live.com. ... I never had this problem with my
    Message 1 of 25 , Mar 9, 2013
    • 0 Attachment
      > From: Donna Lee <donna74128@...>

      > If it is Windows then why wasn't Gmail attacked too?!?

      Read the comments to that article, there is talk about cracked Gmail
      accounts too. I saw AOL and Hotmail/MSN/live.com.

      > As for me I have never had a problem with my Gmail.

      I never had this problem with my yahooMail mailbox. So?

      > My Yahoo account has been the issue!! So as for me I do blame Yahoo

      Yeah, it's easier to blame somebody than to switch to a free
      operating system on the same computer.

      > >> http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/?fromcat=all
      > >>
      > >> This is interesting. Yahoo has plugged a couple of holes but
      > >> it is not enough.
      > >
      > > yahoo cannot plug holes in Windows, antiviruses, browsers and their plugins
      > > (Java, Acrobat, Flash). I replied (thrice now) in comments to that
      > > article - search for my name Lena
      > >
      > >> Yahoo email is still vulnerable.
      > >
      > > Windows (in yahoo users' computers) is vulrerable perpetually.
      > > It's just easier to blame yahoo.
    • Bruce Lund
      We don t yet know whether this is a Yahoo problem, although my email got hacked, too, about a month ago. You made an interesting comment that you never sign
      Message 2 of 25 , Mar 9, 2013
      • 0 Attachment
        We don't yet know whether this is a Yahoo problem, although my email got hacked, too, about a month ago. You made an interesting comment that you never sign out of Gmail. If whatever is causing the problem is some sort of keylogger program, if you never type in your Gmail password, it can never capture it.

        It would be nice to know how the hackers are accessing accounts. Is it a worm getting into users' computers? Have they compromised Yahoo's computers? Have hackers managed to redirect Yahoo's users? We may never find out, but I would guess Yahoo is throwing a lot of resources at it. A FB friend said she put a seal on her sign in page and that she has not had a problem since.

        Bruce Lund


        --- On Sat, 3/9/13, Donna Lee <donna74128@...> wrote:

        From: Donna Lee <donna74128@...>
        Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo???s Mail users continue reporting hacking incidents - The Next Web
        To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
        Date: Saturday, March 9, 2013, 10:40 AM

        If it is Windows then why wasn't Gmail attacked too?!?

        As for me I have never had a problem with my Gmail. My Yahoo account has been the issue!! So as for me I do blame Yahoo because my Gmail has never had this problem. I stay logged in Gmail all the time too. If it were Windows why wasn't my Gmail account hit too?!? I blame Yahoo's lack of security!

        Donna Ford Lee  ♂+♀=♡
        Tulsa, OK

        Don't cry because it's over,
        smile because it happened.

        Sent Via My iPhone

        On Mar 9, 2013, at 4:51 AM, Lena@... wrote:

        >> From: Donna Lee <donna74128@...>
        >>
        >> http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/?fromcat=all
        >>
        >> This is interesting. Yahoo has plugged a couple of holes but
        >> it is not enough.
        >
        > yahoo cannot plug holes in Windows, antiviruses, browsers and their plugins
        > (Java, Acrobat, Flash). I replied (thrice now) in comments to that
        > article - search for my name Lena
        >
        >> Yahoo email is still vulnerable.
        >
        > Windows (in yahoo users' computers) is vulrerable perpetually.
        > It's just easier to blame yahoo.
        >
        >


        ------------------------------------

        ***
        DISCLAIMER : Please note that this is a discussion group only. We do not provide official support.
        YAHOO MAIL OFFICIAL CUSTOMER SUPPORT is  available at : http://is.gd/54K8A
        ***Yahoo! Groups Links

        <*> To visit your group on the web, go to:
            http://groups.yahoo.com/group/Y-Mail/

        <*> Your email settings:
            Individual Email | Traditional

        <*> To change settings online go to:
            http://groups.yahoo.com/group/Y-Mail/join
            (Yahoo! ID required)

        <*> To change settings via email:
            Y-Mail-digest@yahoogroups.com
            Y-Mail-fullfeatured@yahoogroups.com

        <*> To unsubscribe from this group, send an email to:
            Y-Mail-unsubscribe@yahoogroups.com

        <*> Your use of Yahoo! Groups is subject to:
            http://docs.yahoo.com/info/terms/

      • Donna Lee
        I used to have a seal but it keeps disappearing so I gave up on uploading a picture. I do not have a key logger for my security system would find it. The both
        Message 3 of 25 , Mar 10, 2013
        • 0 Attachment
          I used to have a seal but it keeps disappearing so I gave up on uploading a picture. 

          I do not have a key logger for my security system would find it. The both times that I got hacked my system was clean so I see that someone hacked into my Yahoo account both times. There is a new setting that I applied that keeps Internet cafe from getting in my account. I do not know if that will help but I hope so. So far so good. It has been three months since being hacked so I hope blocking an Internet cafe user has helped. 

          Donna Ford Lee  ♂+♀=♡
          Tulsa, OK 

          Sent Via My iPhone

          On Mar 9, 2013, at 5:27 PM, Bruce Lund <bruceedwardlund@...> wrote:

          We don't yet know whether this is a Yahoo problem, although my email got hacked, too, about a month ago. You made an interesting comment that you never sign out of Gmail. If whatever is causing the problem is some sort of keylogger program, if you never type in your Gmail password, it can never capture it.

          It would be nice to know how the hackers are accessing accounts. Is it a worm getting into users' computers? Have they compromised Yahoo's computers? Have hackers managed to redirect Yahoo's users? We may never find out, but I would guess Yahoo is throwing a lot of resources at it. A FB friend said she put a seal on her sign in page and that she has not had a problem since.

          Bruce Lund
        • Donna Lee
          LUCKY YOU!! You got a Mac I suppose. When I got hacked I had a CLEAN machine including free of key loggers so someone hacked in my email. Yes it can happen in
          Message 4 of 25 , Mar 10, 2013
          • 0 Attachment
            LUCKY YOU!! You got a Mac I suppose.

            When I got hacked I had a CLEAN machine including free of key loggers so someone hacked in my email.

            Yes it can happen in Gmail or any other web mail.

            If it is Windows then again why would my Yahoo get hit and not my Gmail at the same time?!?

            Sorry --- Yahoo gets the blame! Since I had a CLEAN PC!

            Donna Ford Lee ♂+♀=♡
            Tulsa, OK

            Sent Via My iPhone

            On Mar 9, 2013, at 11:23 AM, Lena@... wrote:

            >> From: Donna Lee <donna74128@...>
            >
            >> If it is Windows then why wasn't Gmail attacked too?!?
            >
            > Read the comments to that article, there is talk about cracked Gmail
            > accounts too. I saw AOL and Hotmail/MSN/live.com.
            >
            >> As for me I have never had a problem with my Gmail.
            >
            > I never had this problem with my yahooMail mailbox. So?
            >
            >> My Yahoo account has been the issue!! So as for me I do blame Yahoo
            >
            > Yeah, it's easier to blame somebody than to switch to a free
            > operating system on the same computer.
            >
            >>>> http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/?fromcat=all
            >>>>
            >>>> This is interesting. Yahoo has plugged a couple of holes but
            >>>> it is not enough.
            >>>
            >>> yahoo cannot plug holes in Windows, antiviruses, browsers and their plugins
            >>> (Java, Acrobat, Flash). I replied (thrice now) in comments to that
            >>> article - search for my name Lena
            >>>
            >>>> Yahoo email is still vulnerable.
            >>>
            >>> Windows (in yahoo users' computers) is vulrerable perpetually.
            >>> It's just easier to blame yahoo.
            >
            >
            > ------------------------------------
            >
            > ***
            > DISCLAIMER : Please note that this is a discussion group only. We do not provide official support.
            > YAHOO MAIL OFFICIAL CUSTOMER SUPPORT is available at : http://is.gd/54K8A
            > ***Yahoo! Groups Links
            >
            >
            >
          • lena_kiev
            ... I gave a couple explanations in the comments to that article.
            Message 5 of 25 , Mar 10, 2013
            • 0 Attachment
              > From: Donna Lee <donna74128@...>

              > If it is Windows then again why would my Yahoo get hit
              > and not my Gmail at the same time?!?

              I gave a couple explanations in the comments to that article.
              http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/?fromcat=all

              I have a question for you:
              why your yahoo mailbox password was stolen but mine wasn't?

              > I do not have a key logger for my security system would find it.

              Security system vendors lost in the war with maintainers of
              drive-by exploit kits and stealthy encrypted polymorphic trojans.
              Of course, the vendors will not admit that to you outright,
              they want your money. You want to believe them that you are safe.
              Alas, you aren't. So you'll pay for next Windows version, and next...
            • Bruce Lund
              ... Have you considered the possibility that the time the seal was not there was when your system was compromised? Bruce Lund ... From: Donna Lee
              Message 6 of 25 , Mar 10, 2013
              • 0 Attachment
                >>>I used to have a seal but it keeps disappearing so I gave up on uploading a picture.

                Have you considered the possibility that the time the seal was not there was when your system was compromised?

                Bruce Lund


                --- On Sun, 3/10/13, Donna Lee <donna74128@...> wrote:

                From: Donna Lee <donna74128@...>
                Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo???s Mail users continue reporting hacking incidents - The Next Web
                To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
                Date: Sunday, March 10, 2013, 9:11 AM



                I used to have a seal but it keeps disappearing so I gave up on uploading a picture. 

                I do not have a key logger for my security system would find it. The both times that I got hacked my system was clean so I see that someone hacked into my Yahoo account both times. There is a new setting that I applied that keeps Internet cafe from getting in my account. I do not know if that will help but I hope so. So far so good. It has been three months since being hacked so I hope blocking an Internet cafe user has helped. 

                Donna Ford Lee  ♂+♀=♡
                Tulsa, OK 

                Sent Via My iPhone

                On Mar 9, 2013, at 5:27 PM, Bruce Lund <bruceedwardlund@...> wrote:

                We don't yet know whether this is a Yahoo problem, although my email got hacked, too, about a month ago. You made an interesting comment that you never sign out of Gmail. If whatever is causing the problem is some sort of keylogger program, if you never type in your Gmail password, it can never capture it.

                It would be nice to know how the hackers are accessing accounts. Is it a worm getting into users' computers? Have they compromised Yahoo's computers? Have hackers managed to redirect Yahoo's users? We may never find out, but I would guess Yahoo is throwing a lot of resources at it. A FB friend said she put a seal on her sign in page and that she has not had a problem since.

                Bruce Lund


              • Shal Farley
                Donna, ... I believe the key to the seal is stored in a browser cookie. I was having a problem where the seal would never stay on one computer, but was
                Message 7 of 25 , Mar 10, 2013
                • 0 Attachment
                  Donna,

                  > I used to have a seal but it keeps disappearing so I gave up on
                  > uploading a picture.

                  I believe the key to the seal is stored in a browser cookie. I was having a problem where the seal would never stay on one computer, but was reliable on another. Eventually I cleared the list of blocked cookies in Firefox on that first computer and now the seal stays.

                  > There is a new setting that I applied that keeps Internet cafe from
                  > getting in my account. I do not know if that will help but I hope so. So
                  > far so good. It has been three months since being hacked so I hope
                  > blocking an Internet cafe user has helped.

                  If you mean turning on https: (secure http) access for Yahoo Mail yes, that will help prevent session hijacking. And is a very good idea if you ever use Wi-Fi networks that are provided to the public or to customers of various types of businesses. However, that means of stealing account access is more associated with identity theft than with the widespread proliferation of spam emails we're seeing now.

                  If you mean turning on second sign-in verification that will keep anyone out of your Yahoo account anywhere in the world, even if they've stolen your password. That too is a good thing (and I've turned it on for my accounts) although it does entail a little inconvenience when you first use a new machine. The flip side of it though is that it doesn't prevent the password theft itself, which might have involved being able to steal more than just your Yahoo password -- you still need to use other means to protect your online banking or shopping passwords.

                  -- Shal
                • Shal Farley
                  Bruce, ... Not until someone with the knowledge and resources to do so captures the exploit s code and activities in an properly instrumented computer, then
                  Message 8 of 25 , Mar 10, 2013
                  • 0 Attachment
                    Bruce,

                    > It would be nice to know how the hackers are accessing accounts. Is it a
                    > worm getting into users' computers? Have they compromised Yahoo's
                    > computers? Have hackers managed to redirect Yahoo's users?
                    > We may never find out,

                    Not until someone with the knowledge and resources to do so captures the exploit's code and activities in an properly instrumented computer, then reports the findings. It is far from a trivial undertaking, which makes a public reporting less likely -- someone doing this would likely be paid for the effort.

                    > but I would guess Yahoo is throwing a lot of resources at it.

                    Maybe, if they perceive that there is a large reputation loss or other direct impact to justify the cost of the study. Absent that, if their own analysis is that their servers are not being compromised, that it is indeed the exploitation of user's computers that reveals the passwords, then they might take a "not my problem" attitude.

                    > A FB friend said she put a seal on her sign in page and that she has not
                    > had a problem since.

                    The problem with all such anecdotal evidence is that the incidence rate of the (detection of) problems is low enough that "not having a problem since" could be associated with nearly any action taken or not taken.

                    In the friend's case, the sign-in seal helps you recognize phishing attempts. It would offer no protection against a site that didn't pretend to be a Yahoo sign-in, that instead appeared benign but held code to exploit vulnerabilities in her browser/plugins/OS.

                    In a world with multiple threats, and people who are not expert at recognizing the symptoms or reporting on their experience, there can be way too much confusion over cause and effect. The situation is in many ways worse than the "blind men and the elephant" parable: here it is a collection of blind men in a zoo.

                    -- Shal
                  • adeomus ********
                    i tried the seal thing a few times, it disappeared every time ! ..But magic has a habit of lying low, like a rake in the grass. ~Terry Pratchett~ ... From:
                    Message 9 of 25 , Mar 10, 2013
                    • 0 Attachment

                      i tried the seal thing a few times, it disappeared every time !

                      ..But magic has a habit of lying low, 
                      like a rake in the grass.

                      ~Terry Pratchett
                      ~














                      --- On Sun, 3/10/13, Bruce Lund <bruceedwardlund@...> wrote:

                      From: Bruce Lund <bruceedwardlund@...>
                      Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo???s Mail users continue reporting hacking incidents - The Next Web
                      To: Y-Mail@yahoogroups.com
                      Received: Sunday, March 10, 2013, 4:02 PM



                      >>>I used to have a seal but it keeps disappearing so I gave up on uploading a picture.

                      Have you considered the possibility that the time the seal was not there was when your system was compromised?

                      Bruce Lund


                      --- On Sun, 3/10/13, Donna Lee <donna74128@...> wrote:

                      From: Donna Lee <donna74128@...>
                      Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo???s Mail users continue reporting hacking incidents - The Next Web
                      To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
                      Date: Sunday, March 10, 2013, 9:11 AM



                      I used to have a seal but it keeps disappearing so I gave up on uploading a picture. 

                      I do not have a key logger for my security system would find it. The both times that I got hacked my system was clean so I see that someone hacked into my Yahoo account both times. There is a new setting that I applied that keeps Internet cafe from getting in my account. I do not know if that will help but I hope so. So far so good. It has been three months since being hacked so I hope blocking an Internet cafe user has helped. 

                      Donna Ford Lee  ♂+♀=♡
                      Tulsa, OK 

                      Sent Via My iPhone

                      On Mar 9, 2013, at 5:27 PM, Bruce Lund <bruceedwardlund@...> wrote:

                      We don't yet know whether this is a Yahoo problem, although my email got hacked, too, about a month ago. You made an interesting comment that you never sign out of Gmail. If whatever is causing the problem is some sort of keylogger program, if you never type in your Gmail password, it can never capture it.

                      It would be nice to know how the hackers are accessing accounts. Is it a worm getting into users' computers? Have they compromised Yahoo's computers? Have hackers managed to redirect Yahoo's users? We may never find out, but I would guess Yahoo is throwing a lot of resources at it. A FB friend said she put a seal on her sign in page and that she has not had a problem since.

                      Bruce Lund




                    • lena_kiev
                      ... If you or a security software delete cookies in the browser then the seal disappears.
                      Message 10 of 25 , Mar 10, 2013
                      • 0 Attachment
                        > i tried the seal thing a few times, it disappeared every time !

                        If you or a security software delete cookies in the browser
                        then the seal disappears.
                      • Shal Farley
                        adeomus, ... I think that would happen if you have your browser set to delete cookies after every session. -- Shal
                        Message 11 of 25 , Mar 10, 2013
                        • 0 Attachment
                          adeomus,

                          > i tried the seal thing a few times, it disappeared every time !

                          I think that would happen if you have your browser set to delete cookies after every session.

                          -- Shal
                        • Makc666
                          Donna, Not the first time you say that your system was clean. It not true because every day your antivirus company adds new virus signatures to their
                          Message 12 of 25 , Mar 12, 2013
                          • 0 Attachment
                            Donna,

                            Not the first time you say that your system was clean.

                            It not true because every day "your" antivirus company adds new virus signatures to their database. And if there was a new, undetected malware in you system, then how you can say that your system is clean.
                            Also pay attention to the fact that future malware knows how to delete itself from your system.

                            In other words there is no magic when your account is been hacked.
                            And saying that it is not my fault is wrong.

                            Maxim

                            --- In Y-Mail@yahoogroups.com, Donna Lee <donna74128@...> wrote:
                            >
                            > I used to have a seal but it keeps disappearing so I gave up on uploading a picture.
                            >
                            > I do not have a key logger for my security system would find it. The both times that I got hacked my system was clean so I see that someone hacked into my Yahoo account both times. There is a new setting that I applied that keeps Internet cafe from getting in my account. I do not know if that will help but I hope so. So far so good. It has been three months since being hacked so I hope blocking an Internet cafe user has helped.
                            >
                            > Donna
                          • Donna Lee
                            http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/ This is sent for
                            Message 13 of 25 , Jun 18 3:46 AM
                            • 0 Attachment
                              http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/

                              This is sent for informational purposes only.

                              I wish Yahoo would find that hole for I was a victim of a hack yesterday!! I did not click on ANY links from others. I scanned my PC and she is clean so once again I had to change my password ARGH!

                              I am running out of password ideas!!!

                              Yahoo is loosing my confidence lately and I am thinking that I may cancel payment to Yahoo email. I love my groups though so I am stuck between a rock and a hard place!

                              Donna Ford Lee ♂+♀=♡
                              Tulsa, OK

                              Sent Via My iPhone
                            • Shal Farley
                              Donna, ... Generally speaking, password ideas are a bad idea. I use PasswordSafe to generate and store random passwords, a separate one for each service I use.
                              Message 14 of 25 , Jun 18 11:10 AM
                              • 0 Attachment
                                Donna,

                                > I am running out of password ideas!!!

                                Generally speaking, password ideas are a bad idea.

                                I use PasswordSafe to generate and store random passwords, a separate
                                one for each service I use. It also helps protect against simple
                                keylogging malware -- I never type my online passwords, PasswordSafe can
                                fill in the username and password at most login pages, or copy/paste the
                                password through the clipboard.
                                <http://passwordsafe.sourceforge.net/>

                                > Yahoo is loosing my confidence lately and I am thinking that I may
                                > cancel payment to Yahoo email. I love my groups though so I am stuck
                                > between a rock and a hard place!

                                You don't need a Yahoo Mail address to run Yahoo Groups, and you
                                certainly don't need a paid Mail Plus account. You need not feel stuck
                                at all.

                                -- Shal
                              • Lorrie
                                My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make
                                Message 15 of 25 , Jun 18 1:53 PM
                                • 0 Attachment
                                  My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

                                  Lorrie

                                  Lorries Green World
                                  http://minilorrie.2itb.com
                                  Thompson, Manitoba, Canada

                                  --- On Tue, 6/18/13, Shal Farley <shal@...> wrote:
                                   

                                   

                                  Donna,

                                  > I am running out of password ideas!!!

                                  Generally speaking, password ideas are a bad idea.

                                  I use PasswordSafe to generate and store random passwords, a separate
                                  one for each service I use. It also helps protect against simple
                                  keylogging malware -- I never type my online passwords, PasswordSafe can
                                  fill in the username and password at most login pages, or copy/paste the
                                  password through the clipboard.
                                  <http://passwordsafe.sourceforge.net/>

                                  > Yahoo is loosing my confidence lately and I am thinking that I may
                                  > cancel payment to Yahoo email. I love my groups though so I am stuck
                                  > between a rock and a hard place!

                                  You don't need a Yahoo Mail address to run Yahoo Groups, and you
                                  certainly don't need a paid Mail Plus account. You need not feel stuck
                                  at all.

                                  -- Shal

                                • Kenneth
                                  Perhaps a complicated password is more of a challenge for hackers, but that doesn t mean a simple password is safer.  They re not going to know whose
                                  Message 16 of 25 , Jun 18 4:22 PM
                                  • 0 Attachment
                                    Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer.  They're not going to know whose passwords are more challenging until after the fact.  And if yours was less challenging, then they've just hacked yours sooner rather than later.


                                    From: Lorrie <minilorrie@...>
                                    To: Y-Mail@yahoogroups.com
                                    Sent: Tuesday, June 18, 2013 1:53 PM
                                    Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

                                     
                                    My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

                                    Lorrie

                                  • Jodi Upchurch
                                    A Few Of My Yahoo! Accounts, I Had To Change My Password For...............Hang In There From: Lorrie Sent: Tuesday, June 18, 2013 3:53 PM To:
                                    Message 17 of 25 , Jun 18 6:35 PM
                                    • 0 Attachment
                                      A Few Of My Yahoo! Accounts, I Had To Change My Password For...............Hang In There
                                       
                                      From: Lorrie
                                      Sent: Tuesday, June 18, 2013 3:53 PM
                                      Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
                                       
                                       

                                      My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

                                      Lorrie

                                      Lorries Green World
                                      http://minilorrie.2itb.com
                                      Thompson, Manitoba, Canada

                                      --- On Tue, 6/18/13, Shal Farley <shal@...> wrote:


                                       

                                      Donna,

                                      > I am running out of password ideas!!!

                                      Generally speaking, password ideas are a bad idea.

                                      I use PasswordSafe to generate and store random passwords, a separate
                                      one for each service I use. It also helps protect against simple
                                      keylogging malware -- I never type my online passwords, PasswordSafe can
                                      fill in the username and password at most login pages, or copy/paste the
                                      password through the clipboard.
                                      <http://passwordsafe.sourceforge.net/>

                                      > Yahoo is loosing my confidence lately and I am thinking that I may
                                      > cancel payment to Yahoo email. I love my groups though so I am stuck
                                      > between a rock and a hard place!

                                      You don't need a Yahoo Mail address to run Yahoo Groups, and you
                                      certainly don't need a paid Mail Plus account. You need not feel stuck
                                      at all.

                                      -- Shal

                                    • Harryh
                                      The real risk of passwords lies in the fact that crackers can do them in short order - see
                                      Message 18 of 25 , Jun 18 9:30 PM
                                      • 0 Attachment
                                        The real risk of passwords lies in the fact that crackers can do them in short order - see http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

                                        And should a hacker get into the user files where passwords are hashed, knowing a few facts can make the entire list vulnerable. Further since most users may use a similar password scheme for all their sites, banking may be at risk from an email hack.   I suspect that the only solution is a password generator that assigns a large random set of mixed characters per site.  Conversion to a generator can be painful but necessary.


                                        From: Kenneth <justkenneth@...>
                                        To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
                                        Sent: Tuesday, June 18, 2013 5:22 PM
                                        Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web



                                        Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer. 
                                        <snip>

                                        From: Lorrie <minilorrie@...>
                                        To: Y-Mail@yahoogroups.com
                                        Sent: Tuesday, June 18, 2013 1:53 PM
                                        Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

                                         
                                        My password is really simple and not very secure.  I have had it for years.  Never had any problems. 
                                        <snip>






                                      • lena_kiev
                                        ... Trojans steal cleartext passwords - stored in the browser, or when the form is filled (form-grabbing). Complexity of passwords doesn t matter at all.
                                        Message 19 of 25 , Jun 18 10:08 PM
                                        • 0 Attachment
                                          > From: Harryh <harryh89@...>

                                          > And should a hacker get into the user files where passwords are hashed

                                          Trojans steal cleartext passwords - stored in the browser, or when
                                          the form is filled (form-grabbing). Complexity of passwords
                                          doesn't matter at all. Strong (long, complicate, unique) passwords
                                          are stolen as easlily as simple ones. In case of this cracker+spammer
                                          strong passwords give false sense of security.
                                        • Chris J Brady
                                          The hackers of Yahoo accounts are not guys sitting at a PC keyboard randomly typing in characters like the proverbial monkeys typing in the complete works of
                                          Message 20 of 25 , Jun 19 1:58 AM
                                          • 0 Attachment
                                            The hackers of Yahoo accounts are not guys sitting at a PC keyboard randomly typing in characters like the proverbial monkeys typing in the complete works of Shakespeare. Neither is it a computer generating random letter passwords and trying them until one fits. That's old skool. 

                                            The vulnerability is that a user having clicked on an embedded URL in an email is taken to a rogue webpage. Or maybe has not even clicked on an embedded URL and in the course of surfing has been  taken to a rogue webpage. This has installed a virus (a snippet of XML / Javascript / whatever / code) onto the user's PC. This is turn sends the the Yahoo cookie file containing the account name and password to the hackers. So it doesn't matter what the password is or when it is changed or how complicated it is the hackers get the latest version. 

                                            The virus script does two other things. Periodically - until removed - it sends an email out - with a one line URL to another roge website - to one, many, all contacts in the user's address book.

                                            Secondly it sends the entire address book to the hackers. This can be used to send out fraudulent emails appealing for cash because the user has lost his/her passport on a surprise trip overseas, or has been imprisoned in a foreign country and needs urgent cash to be released, etc.

                                            I have not found out how to remove the XML / Javascript / whatever code that represent the virus. Perhaps someone here can say. Virus protection apps will not detect it.

                                            However I understand that one protection is to ALWAYS log out of a Yahoo session after finishing which apparently then kills the cookie containing the user's account and password.

                                            But if the hackers have a user's complete address book then there's nothing to stop them from using the contents to send begging emails.

                                            CJB ..
                                               

                                            --- On Wed, 19/6/13, Kenneth <justkenneth@...> wrote:

                                            From: Kenneth <justkenneth@...>
                                            Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
                                            To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
                                            Date: Wednesday, 19 June, 2013, 0:22

                                             

                                            Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer.  They're not going to know whose passwords are more challenging until after the fact.  And if yours was less challenging, then they've just hacked yours sooner rather than later.


                                            From: Lorrie <minilorrie@...>
                                            To: Y-Mail@yahoogroups.com
                                            Sent: Tuesday, June 18, 2013 1:53 PM
                                            Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

                                             
                                            My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

                                            Lorrie

                                          • Raymond B. Normandeau NYC
                                            Isn t this how Facebook and LinkedIn etc are able to see which of your friends are already members ? Are perhaps all the hack victims also members of one of
                                            Message 21 of 25 , Jun 19 7:03 AM
                                            • 0 Attachment
                                              Isn't this how Facebook and LinkedIn etc are able to
                                              "see which of your friends are already members"?

                                              Are perhaps all the hack victims also members of one of the above?

                                              --
                                              Considering VistaPrint?
                                              See http://www.ripoffreport.com/directory/vista-print.aspx
                                              http://www.consumeraffairs.com/online/vistaprint.html

                                              --- On Wed, 6/19/13, Chris J Brady <chrisjbrady@...> wrote:

                                              From: Chris J Brady <chrisjbrady@...>
                                              Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
                                              ...
                                               
                                              The vulnerability is that a user having clicked on an embedded URL in an email is taken to a rogue webpage. Or maybe has not even clicked on an embedded URL and in the course of surfing has been  taken to a rogue webpage. This has installed a virus (a snippet of XML / Javascript / whatever / code) onto the user's PC. This is turn sends the the Yahoo cookie file containing the account name and password to the hackers. So it doesn't matter what the password is or when it is changed or how complicated it is the hackers get the latest
                                              version. 
                                              ...
                                            • lena_kiev
                                              ... Right. ... Right. ... Not cookie, but yahooID and password, not hashed. Then another piece of malware uses a bot in another victim s computer (in a random
                                              Message 22 of 25 , Jun 19 7:10 AM
                                              • 0 Attachment
                                                > From: Chris J Brady <chrisjbrady@...>

                                                > The hackers of Yahoo accounts are not guys sitting at a PC keyboard
                                                > randomly typing in characters like the proverbial monkeys typing in
                                                > the complete works of Shakespeare. Neither is it a computer
                                                > generating random letter passwords and trying them until one fits.

                                                Right.

                                                > The vulnerability is that a user having clicked on an embedded URL
                                                > in an email is taken to a rogue webpage. Or maybe has not even
                                                > clicked on an embedded URL and in the course of surfing has
                                                > been taken to a rogue webpage. This has installed a virus (a
                                                > snippet of XML / Javascript / whatever / code) onto the user's PC.

                                                Right.

                                                > This is turn sends the the Yahoo cookie file containing the account
                                                > name and password to the hackers.

                                                Not cookie, but yahooID and password, not hashed.

                                                Then another piece of malware uses a bot in another victim's computer
                                                (in a random country) to give the yahooID and password to the
                                                m.yahoo.com website (for mobile devices) and get an yahoo cookie
                                                (containing a hash) in return. That leaves a line "Mobile Logged In"
                                                in first victim's "Recent sign-in activity" (linked from Account Info).
                                                Then (usually via the same bit, sometimes via another bot in another
                                                country, but in under a minute) it uses that cookie to access
                                                regular mail.yahoo.com website to harvest email address from
                                                letters in Sent and Inbox folder (and possibly Contacts too) and spam them.
                                                That leaves another line "Mail Access" in first victim's
                                                "Recent sign-in activity".

                                                I can't test myself because my country isn't in the list
                                                (yahoo cannot send me a SMS).
                                                Please somebody who "Set up your second sign-in verification"
                                                Sign Out, then on the m.yahoo.com/mail website sign in,
                                                preferably via another ISP.
                                                Does the m.yahoo.com website (used by the felon too)
                                                require to type something from SMS?

                                                > The virus script does two other things. Periodically - until removed

                                                Until the password is changed. The trojan which stole the password
                                                doesn't send the spam, it only phones home the stolen password.

                                                Another piece of malware does this:

                                                > it sends an email out - with a one line URL to another roge
                                                > website - to one, many, all contacts in the user's address book.

                                                Or/and addresses harvested from letters in Send and Inbox folders.

                                                > I have not found out how to remove the XML / Javascript / whatever
                                                > code that represent the virus. Perhaps someone here can say. Virus
                                                > protection apps will not detect it.

                                                The felon tests the drive-by exploit kit
                                                and (stealthy encrypted polymorphic) trojan it installs
                                                aganinst multiple antiviruses
                                                and makes sure that the exploit kit and trojan
                                                can evade or disable all the antiviruses.
                                                Antivirus vendors lost the war.

                                                > However I understand that one protection is to ALWAYS log out of a
                                                > Yahoo session after finishing which apparently then kills the cookie
                                                > containing the user's account and password.

                                                The trojan steals password, not cookie. So, to Sign Out is useless
                                                in this case.
                                              Your message has been successfully submitted and would be delivered to recipients shortly.