Loading ...
Sorry, an error occurred while loading the content.

Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo???s Mail users continue reporting hacking incidents - The Next Web

Expand Messages
  • Shal Farley
    Donna, ... I believe the key to the seal is stored in a browser cookie. I was having a problem where the seal would never stay on one computer, but was
    Message 1 of 25 , Mar 10, 2013
    • 0 Attachment
      Donna,

      > I used to have a seal but it keeps disappearing so I gave up on
      > uploading a picture.

      I believe the key to the seal is stored in a browser cookie. I was having a problem where the seal would never stay on one computer, but was reliable on another. Eventually I cleared the list of blocked cookies in Firefox on that first computer and now the seal stays.

      > There is a new setting that I applied that keeps Internet cafe from
      > getting in my account. I do not know if that will help but I hope so. So
      > far so good. It has been three months since being hacked so I hope
      > blocking an Internet cafe user has helped.

      If you mean turning on https: (secure http) access for Yahoo Mail yes, that will help prevent session hijacking. And is a very good idea if you ever use Wi-Fi networks that are provided to the public or to customers of various types of businesses. However, that means of stealing account access is more associated with identity theft than with the widespread proliferation of spam emails we're seeing now.

      If you mean turning on second sign-in verification that will keep anyone out of your Yahoo account anywhere in the world, even if they've stolen your password. That too is a good thing (and I've turned it on for my accounts) although it does entail a little inconvenience when you first use a new machine. The flip side of it though is that it doesn't prevent the password theft itself, which might have involved being able to steal more than just your Yahoo password -- you still need to use other means to protect your online banking or shopping passwords.

      -- Shal
    • Shal Farley
      Bruce, ... Not until someone with the knowledge and resources to do so captures the exploit s code and activities in an properly instrumented computer, then
      Message 2 of 25 , Mar 10, 2013
      • 0 Attachment
        Bruce,

        > It would be nice to know how the hackers are accessing accounts. Is it a
        > worm getting into users' computers? Have they compromised Yahoo's
        > computers? Have hackers managed to redirect Yahoo's users?
        > We may never find out,

        Not until someone with the knowledge and resources to do so captures the exploit's code and activities in an properly instrumented computer, then reports the findings. It is far from a trivial undertaking, which makes a public reporting less likely -- someone doing this would likely be paid for the effort.

        > but I would guess Yahoo is throwing a lot of resources at it.

        Maybe, if they perceive that there is a large reputation loss or other direct impact to justify the cost of the study. Absent that, if their own analysis is that their servers are not being compromised, that it is indeed the exploitation of user's computers that reveals the passwords, then they might take a "not my problem" attitude.

        > A FB friend said she put a seal on her sign in page and that she has not
        > had a problem since.

        The problem with all such anecdotal evidence is that the incidence rate of the (detection of) problems is low enough that "not having a problem since" could be associated with nearly any action taken or not taken.

        In the friend's case, the sign-in seal helps you recognize phishing attempts. It would offer no protection against a site that didn't pretend to be a Yahoo sign-in, that instead appeared benign but held code to exploit vulnerabilities in her browser/plugins/OS.

        In a world with multiple threats, and people who are not expert at recognizing the symptoms or reporting on their experience, there can be way too much confusion over cause and effect. The situation is in many ways worse than the "blind men and the elephant" parable: here it is a collection of blind men in a zoo.

        -- Shal
      • adeomus ********
        i tried the seal thing a few times, it disappeared every time ! ..But magic has a habit of lying low, like a rake in the grass. ~Terry Pratchett~ ... From:
        Message 3 of 25 , Mar 10, 2013
        • 0 Attachment

          i tried the seal thing a few times, it disappeared every time !

          ..But magic has a habit of lying low, 
          like a rake in the grass.

          ~Terry Pratchett
          ~














          --- On Sun, 3/10/13, Bruce Lund <bruceedwardlund@...> wrote:

          From: Bruce Lund <bruceedwardlund@...>
          Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo???s Mail users continue reporting hacking incidents - The Next Web
          To: Y-Mail@yahoogroups.com
          Received: Sunday, March 10, 2013, 4:02 PM



          >>>I used to have a seal but it keeps disappearing so I gave up on uploading a picture.

          Have you considered the possibility that the time the seal was not there was when your system was compromised?

          Bruce Lund


          --- On Sun, 3/10/13, Donna Lee <donna74128@...> wrote:

          From: Donna Lee <donna74128@...>
          Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo???s Mail users continue reporting hacking incidents - The Next Web
          To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
          Date: Sunday, March 10, 2013, 9:11 AM



          I used to have a seal but it keeps disappearing so I gave up on uploading a picture. 

          I do not have a key logger for my security system would find it. The both times that I got hacked my system was clean so I see that someone hacked into my Yahoo account both times. There is a new setting that I applied that keeps Internet cafe from getting in my account. I do not know if that will help but I hope so. So far so good. It has been three months since being hacked so I hope blocking an Internet cafe user has helped. 

          Donna Ford Lee  ♂+♀=♡
          Tulsa, OK 

          Sent Via My iPhone

          On Mar 9, 2013, at 5:27 PM, Bruce Lund <bruceedwardlund@...> wrote:

          We don't yet know whether this is a Yahoo problem, although my email got hacked, too, about a month ago. You made an interesting comment that you never sign out of Gmail. If whatever is causing the problem is some sort of keylogger program, if you never type in your Gmail password, it can never capture it.

          It would be nice to know how the hackers are accessing accounts. Is it a worm getting into users' computers? Have they compromised Yahoo's computers? Have hackers managed to redirect Yahoo's users? We may never find out, but I would guess Yahoo is throwing a lot of resources at it. A FB friend said she put a seal on her sign in page and that she has not had a problem since.

          Bruce Lund




        • lena_kiev
          ... If you or a security software delete cookies in the browser then the seal disappears.
          Message 4 of 25 , Mar 10, 2013
          • 0 Attachment
            > i tried the seal thing a few times, it disappeared every time !

            If you or a security software delete cookies in the browser
            then the seal disappears.
          • Shal Farley
            adeomus, ... I think that would happen if you have your browser set to delete cookies after every session. -- Shal
            Message 5 of 25 , Mar 10, 2013
            • 0 Attachment
              adeomus,

              > i tried the seal thing a few times, it disappeared every time !

              I think that would happen if you have your browser set to delete cookies after every session.

              -- Shal
            • Makc666
              Donna, Not the first time you say that your system was clean. It not true because every day your antivirus company adds new virus signatures to their
              Message 6 of 25 , Mar 12, 2013
              • 0 Attachment
                Donna,

                Not the first time you say that your system was clean.

                It not true because every day "your" antivirus company adds new virus signatures to their database. And if there was a new, undetected malware in you system, then how you can say that your system is clean.
                Also pay attention to the fact that future malware knows how to delete itself from your system.

                In other words there is no magic when your account is been hacked.
                And saying that it is not my fault is wrong.

                Maxim

                --- In Y-Mail@yahoogroups.com, Donna Lee <donna74128@...> wrote:
                >
                > I used to have a seal but it keeps disappearing so I gave up on uploading a picture.
                >
                > I do not have a key logger for my security system would find it. The both times that I got hacked my system was clean so I see that someone hacked into my Yahoo account both times. There is a new setting that I applied that keeps Internet cafe from getting in my account. I do not know if that will help but I hope so. So far so good. It has been three months since being hacked so I hope blocking an Internet cafe user has helped.
                >
                > Donna
              • Donna Lee
                http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/ This is sent for
                Message 7 of 25 , Jun 18, 2013
                • 0 Attachment
                  http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/

                  This is sent for informational purposes only.

                  I wish Yahoo would find that hole for I was a victim of a hack yesterday!! I did not click on ANY links from others. I scanned my PC and she is clean so once again I had to change my password ARGH!

                  I am running out of password ideas!!!

                  Yahoo is loosing my confidence lately and I am thinking that I may cancel payment to Yahoo email. I love my groups though so I am stuck between a rock and a hard place!

                  Donna Ford Lee ♂+♀=♡
                  Tulsa, OK

                  Sent Via My iPhone
                • Shal Farley
                  Donna, ... Generally speaking, password ideas are a bad idea. I use PasswordSafe to generate and store random passwords, a separate one for each service I use.
                  Message 8 of 25 , Jun 18, 2013
                  • 0 Attachment
                    Donna,

                    > I am running out of password ideas!!!

                    Generally speaking, password ideas are a bad idea.

                    I use PasswordSafe to generate and store random passwords, a separate
                    one for each service I use. It also helps protect against simple
                    keylogging malware -- I never type my online passwords, PasswordSafe can
                    fill in the username and password at most login pages, or copy/paste the
                    password through the clipboard.
                    <http://passwordsafe.sourceforge.net/>

                    > Yahoo is loosing my confidence lately and I am thinking that I may
                    > cancel payment to Yahoo email. I love my groups though so I am stuck
                    > between a rock and a hard place!

                    You don't need a Yahoo Mail address to run Yahoo Groups, and you
                    certainly don't need a paid Mail Plus account. You need not feel stuck
                    at all.

                    -- Shal
                  • Lorrie
                    My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make
                    Message 9 of 25 , Jun 18, 2013
                    • 0 Attachment
                      My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

                      Lorrie

                      Lorries Green World
                      http://minilorrie.2itb.com
                      Thompson, Manitoba, Canada

                      --- On Tue, 6/18/13, Shal Farley <shal@...> wrote:
                       

                       

                      Donna,

                      > I am running out of password ideas!!!

                      Generally speaking, password ideas are a bad idea.

                      I use PasswordSafe to generate and store random passwords, a separate
                      one for each service I use. It also helps protect against simple
                      keylogging malware -- I never type my online passwords, PasswordSafe can
                      fill in the username and password at most login pages, or copy/paste the
                      password through the clipboard.
                      <http://passwordsafe.sourceforge.net/>

                      > Yahoo is loosing my confidence lately and I am thinking that I may
                      > cancel payment to Yahoo email. I love my groups though so I am stuck
                      > between a rock and a hard place!

                      You don't need a Yahoo Mail address to run Yahoo Groups, and you
                      certainly don't need a paid Mail Plus account. You need not feel stuck
                      at all.

                      -- Shal

                    • Kenneth
                      Perhaps a complicated password is more of a challenge for hackers, but that doesn t mean a simple password is safer.  They re not going to know whose
                      Message 10 of 25 , Jun 18, 2013
                      • 0 Attachment
                        Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer.  They're not going to know whose passwords are more challenging until after the fact.  And if yours was less challenging, then they've just hacked yours sooner rather than later.


                        From: Lorrie <minilorrie@...>
                        To: Y-Mail@yahoogroups.com
                        Sent: Tuesday, June 18, 2013 1:53 PM
                        Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

                         
                        My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

                        Lorrie

                      • Jodi Upchurch
                        A Few Of My Yahoo! Accounts, I Had To Change My Password For...............Hang In There From: Lorrie Sent: Tuesday, June 18, 2013 3:53 PM To:
                        Message 11 of 25 , Jun 18, 2013
                        • 0 Attachment
                          A Few Of My Yahoo! Accounts, I Had To Change My Password For...............Hang In There
                           
                          From: Lorrie
                          Sent: Tuesday, June 18, 2013 3:53 PM
                          Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
                           
                           

                          My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

                          Lorrie

                          Lorries Green World
                          http://minilorrie.2itb.com
                          Thompson, Manitoba, Canada

                          --- On Tue, 6/18/13, Shal Farley <shal@...> wrote:


                           

                          Donna,

                          > I am running out of password ideas!!!

                          Generally speaking, password ideas are a bad idea.

                          I use PasswordSafe to generate and store random passwords, a separate
                          one for each service I use. It also helps protect against simple
                          keylogging malware -- I never type my online passwords, PasswordSafe can
                          fill in the username and password at most login pages, or copy/paste the
                          password through the clipboard.
                          <http://passwordsafe.sourceforge.net/>

                          > Yahoo is loosing my confidence lately and I am thinking that I may
                          > cancel payment to Yahoo email. I love my groups though so I am stuck
                          > between a rock and a hard place!

                          You don't need a Yahoo Mail address to run Yahoo Groups, and you
                          certainly don't need a paid Mail Plus account. You need not feel stuck
                          at all.

                          -- Shal

                        • Harryh
                          The real risk of passwords lies in the fact that crackers can do them in short order - see
                          Message 12 of 25 , Jun 18, 2013
                          • 0 Attachment
                            The real risk of passwords lies in the fact that crackers can do them in short order - see http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

                            And should a hacker get into the user files where passwords are hashed, knowing a few facts can make the entire list vulnerable. Further since most users may use a similar password scheme for all their sites, banking may be at risk from an email hack.   I suspect that the only solution is a password generator that assigns a large random set of mixed characters per site.  Conversion to a generator can be painful but necessary.


                            From: Kenneth <justkenneth@...>
                            To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
                            Sent: Tuesday, June 18, 2013 5:22 PM
                            Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web



                            Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer. 
                            <snip>

                            From: Lorrie <minilorrie@...>
                            To: Y-Mail@yahoogroups.com
                            Sent: Tuesday, June 18, 2013 1:53 PM
                            Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

                             
                            My password is really simple and not very secure.  I have had it for years.  Never had any problems. 
                            <snip>






                          • lena_kiev
                            ... Trojans steal cleartext passwords - stored in the browser, or when the form is filled (form-grabbing). Complexity of passwords doesn t matter at all.
                            Message 13 of 25 , Jun 18, 2013
                            • 0 Attachment
                              > From: Harryh <harryh89@...>

                              > And should a hacker get into the user files where passwords are hashed

                              Trojans steal cleartext passwords - stored in the browser, or when
                              the form is filled (form-grabbing). Complexity of passwords
                              doesn't matter at all. Strong (long, complicate, unique) passwords
                              are stolen as easlily as simple ones. In case of this cracker+spammer
                              strong passwords give false sense of security.
                            • Chris J Brady
                              The hackers of Yahoo accounts are not guys sitting at a PC keyboard randomly typing in characters like the proverbial monkeys typing in the complete works of
                              Message 14 of 25 , Jun 19, 2013
                              • 0 Attachment
                                The hackers of Yahoo accounts are not guys sitting at a PC keyboard randomly typing in characters like the proverbial monkeys typing in the complete works of Shakespeare. Neither is it a computer generating random letter passwords and trying them until one fits. That's old skool. 

                                The vulnerability is that a user having clicked on an embedded URL in an email is taken to a rogue webpage. Or maybe has not even clicked on an embedded URL and in the course of surfing has been  taken to a rogue webpage. This has installed a virus (a snippet of XML / Javascript / whatever / code) onto the user's PC. This is turn sends the the Yahoo cookie file containing the account name and password to the hackers. So it doesn't matter what the password is or when it is changed or how complicated it is the hackers get the latest version. 

                                The virus script does two other things. Periodically - until removed - it sends an email out - with a one line URL to another roge website - to one, many, all contacts in the user's address book.

                                Secondly it sends the entire address book to the hackers. This can be used to send out fraudulent emails appealing for cash because the user has lost his/her passport on a surprise trip overseas, or has been imprisoned in a foreign country and needs urgent cash to be released, etc.

                                I have not found out how to remove the XML / Javascript / whatever code that represent the virus. Perhaps someone here can say. Virus protection apps will not detect it.

                                However I understand that one protection is to ALWAYS log out of a Yahoo session after finishing which apparently then kills the cookie containing the user's account and password.

                                But if the hackers have a user's complete address book then there's nothing to stop them from using the contents to send begging emails.

                                CJB ..
                                   

                                --- On Wed, 19/6/13, Kenneth <justkenneth@...> wrote:

                                From: Kenneth <justkenneth@...>
                                Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
                                To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
                                Date: Wednesday, 19 June, 2013, 0:22

                                 

                                Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer.  They're not going to know whose passwords are more challenging until after the fact.  And if yours was less challenging, then they've just hacked yours sooner rather than later.


                                From: Lorrie <minilorrie@...>
                                To: Y-Mail@yahoogroups.com
                                Sent: Tuesday, June 18, 2013 1:53 PM
                                Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

                                 
                                My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

                                Lorrie

                              • Raymond B. Normandeau NYC
                                Isn t this how Facebook and LinkedIn etc are able to see which of your friends are already members ? Are perhaps all the hack victims also members of one of
                                Message 15 of 25 , Jun 19, 2013
                                • 0 Attachment
                                  Isn't this how Facebook and LinkedIn etc are able to
                                  "see which of your friends are already members"?

                                  Are perhaps all the hack victims also members of one of the above?

                                  --
                                  Considering VistaPrint?
                                  See http://www.ripoffreport.com/directory/vista-print.aspx
                                  http://www.consumeraffairs.com/online/vistaprint.html

                                  --- On Wed, 6/19/13, Chris J Brady <chrisjbrady@...> wrote:

                                  From: Chris J Brady <chrisjbrady@...>
                                  Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
                                  ...
                                   
                                  The vulnerability is that a user having clicked on an embedded URL in an email is taken to a rogue webpage. Or maybe has not even clicked on an embedded URL and in the course of surfing has been  taken to a rogue webpage. This has installed a virus (a snippet of XML / Javascript / whatever / code) onto the user's PC. This is turn sends the the Yahoo cookie file containing the account name and password to the hackers. So it doesn't matter what the password is or when it is changed or how complicated it is the hackers get the latest
                                  version. 
                                  ...
                                • lena_kiev
                                  ... Right. ... Right. ... Not cookie, but yahooID and password, not hashed. Then another piece of malware uses a bot in another victim s computer (in a random
                                  Message 16 of 25 , Jun 19, 2013
                                  • 0 Attachment
                                    > From: Chris J Brady <chrisjbrady@...>

                                    > The hackers of Yahoo accounts are not guys sitting at a PC keyboard
                                    > randomly typing in characters like the proverbial monkeys typing in
                                    > the complete works of Shakespeare. Neither is it a computer
                                    > generating random letter passwords and trying them until one fits.

                                    Right.

                                    > The vulnerability is that a user having clicked on an embedded URL
                                    > in an email is taken to a rogue webpage. Or maybe has not even
                                    > clicked on an embedded URL and in the course of surfing has
                                    > been taken to a rogue webpage. This has installed a virus (a
                                    > snippet of XML / Javascript / whatever / code) onto the user's PC.

                                    Right.

                                    > This is turn sends the the Yahoo cookie file containing the account
                                    > name and password to the hackers.

                                    Not cookie, but yahooID and password, not hashed.

                                    Then another piece of malware uses a bot in another victim's computer
                                    (in a random country) to give the yahooID and password to the
                                    m.yahoo.com website (for mobile devices) and get an yahoo cookie
                                    (containing a hash) in return. That leaves a line "Mobile Logged In"
                                    in first victim's "Recent sign-in activity" (linked from Account Info).
                                    Then (usually via the same bit, sometimes via another bot in another
                                    country, but in under a minute) it uses that cookie to access
                                    regular mail.yahoo.com website to harvest email address from
                                    letters in Sent and Inbox folder (and possibly Contacts too) and spam them.
                                    That leaves another line "Mail Access" in first victim's
                                    "Recent sign-in activity".

                                    I can't test myself because my country isn't in the list
                                    (yahoo cannot send me a SMS).
                                    Please somebody who "Set up your second sign-in verification"
                                    Sign Out, then on the m.yahoo.com/mail website sign in,
                                    preferably via another ISP.
                                    Does the m.yahoo.com website (used by the felon too)
                                    require to type something from SMS?

                                    > The virus script does two other things. Periodically - until removed

                                    Until the password is changed. The trojan which stole the password
                                    doesn't send the spam, it only phones home the stolen password.

                                    Another piece of malware does this:

                                    > it sends an email out - with a one line URL to another roge
                                    > website - to one, many, all contacts in the user's address book.

                                    Or/and addresses harvested from letters in Send and Inbox folders.

                                    > I have not found out how to remove the XML / Javascript / whatever
                                    > code that represent the virus. Perhaps someone here can say. Virus
                                    > protection apps will not detect it.

                                    The felon tests the drive-by exploit kit
                                    and (stealthy encrypted polymorphic) trojan it installs
                                    aganinst multiple antiviruses
                                    and makes sure that the exploit kit and trojan
                                    can evade or disable all the antiviruses.
                                    Antivirus vendors lost the war.

                                    > However I understand that one protection is to ALWAYS log out of a
                                    > Yahoo session after finishing which apparently then kills the cookie
                                    > containing the user's account and password.

                                    The trojan steals password, not cookie. So, to Sign Out is useless
                                    in this case.
                                  Your message has been successfully submitted and would be delivered to recipients shortly.