Loading ...
Sorry, an error occurred while loading the content.

Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting h acking incidents - The Next Web

Expand Messages
  • Jodi Upchurch
    A Few Of My Yahoo! Accounts, I Had To Change My Password For...............Hang In There From: Lorrie Sent: Tuesday, June 18, 2013 3:53 PM To:
    Message 1 of 25 , Jun 18, 2013
    • 0 Attachment
      A Few Of My Yahoo! Accounts, I Had To Change My Password For...............Hang In There
       
      From: Lorrie
      Sent: Tuesday, June 18, 2013 3:53 PM
      Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
       
       

      My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

      Lorrie

      Lorries Green World
      http://minilorrie.2itb.com
      Thompson, Manitoba, Canada

      --- On Tue, 6/18/13, Shal Farley <shal@...> wrote:


       

      Donna,

      > I am running out of password ideas!!!

      Generally speaking, password ideas are a bad idea.

      I use PasswordSafe to generate and store random passwords, a separate
      one for each service I use. It also helps protect against simple
      keylogging malware -- I never type my online passwords, PasswordSafe can
      fill in the username and password at most login pages, or copy/paste the
      password through the clipboard.
      <http://passwordsafe.sourceforge.net/>

      > Yahoo is loosing my confidence lately and I am thinking that I may
      > cancel payment to Yahoo email. I love my groups though so I am stuck
      > between a rock and a hard place!

      You don't need a Yahoo Mail address to run Yahoo Groups, and you
      certainly don't need a paid Mail Plus account. You need not feel stuck
      at all.

      -- Shal

    • lena_kiev
      ... Trojans steal cleartext passwords - stored in the browser, or when the form is filled (form-grabbing). Complexity of passwords doesn t matter at all.
      Message 2 of 25 , Jun 18, 2013
      • 0 Attachment
        > From: Harryh <harryh89@...>

        > And should a hacker get into the user files where passwords are hashed

        Trojans steal cleartext passwords - stored in the browser, or when
        the form is filled (form-grabbing). Complexity of passwords
        doesn't matter at all. Strong (long, complicate, unique) passwords
        are stolen as easlily as simple ones. In case of this cracker+spammer
        strong passwords give false sense of security.
      • Chris J Brady
        The hackers of Yahoo accounts are not guys sitting at a PC keyboard randomly typing in characters like the proverbial monkeys typing in the complete works of
        Message 3 of 25 , Jun 19, 2013
        • 0 Attachment
          The hackers of Yahoo accounts are not guys sitting at a PC keyboard randomly typing in characters like the proverbial monkeys typing in the complete works of Shakespeare. Neither is it a computer generating random letter passwords and trying them until one fits. That's old skool. 

          The vulnerability is that a user having clicked on an embedded URL in an email is taken to a rogue webpage. Or maybe has not even clicked on an embedded URL and in the course of surfing has been  taken to a rogue webpage. This has installed a virus (a snippet of XML / Javascript / whatever / code) onto the user's PC. This is turn sends the the Yahoo cookie file containing the account name and password to the hackers. So it doesn't matter what the password is or when it is changed or how complicated it is the hackers get the latest version. 

          The virus script does two other things. Periodically - until removed - it sends an email out - with a one line URL to another roge website - to one, many, all contacts in the user's address book.

          Secondly it sends the entire address book to the hackers. This can be used to send out fraudulent emails appealing for cash because the user has lost his/her passport on a surprise trip overseas, or has been imprisoned in a foreign country and needs urgent cash to be released, etc.

          I have not found out how to remove the XML / Javascript / whatever code that represent the virus. Perhaps someone here can say. Virus protection apps will not detect it.

          However I understand that one protection is to ALWAYS log out of a Yahoo session after finishing which apparently then kills the cookie containing the user's account and password.

          But if the hackers have a user's complete address book then there's nothing to stop them from using the contents to send begging emails.

          CJB ..
             

          --- On Wed, 19/6/13, Kenneth <justkenneth@...> wrote:

          From: Kenneth <justkenneth@...>
          Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
          To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
          Date: Wednesday, 19 June, 2013, 0:22

           

          Perhaps a complicated password is more of a challenge for hackers, but that doesn't mean a simple password is safer.  They're not going to know whose passwords are more challenging until after the fact.  And if yours was less challenging, then they've just hacked yours sooner rather than later.


          From: Lorrie <minilorrie@...>
          To: Y-Mail@yahoogroups.com
          Sent: Tuesday, June 18, 2013 1:53 PM
          Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web

           
          My password is really simple and not very secure.  I have had it for years.  Never had any problems.  I am just wondering if the more difficult you make your password, the more the hackers try and get it.  Maybe it gives them more of a challenge.  A lot of people that I have talked to that have been hacked say that their passwords were very complicated yet they were stolen numerous times.  Just my thoughts LOL.

          Lorrie

        • Raymond B. Normandeau NYC
          Isn t this how Facebook and LinkedIn etc are able to see which of your friends are already members ? Are perhaps all the hack victims also members of one of
          Message 4 of 25 , Jun 19, 2013
          • 0 Attachment
            Isn't this how Facebook and LinkedIn etc are able to
            "see which of your friends are already members"?

            Are perhaps all the hack victims also members of one of the above?

            --
            Considering VistaPrint?
            See http://www.ripoffreport.com/directory/vista-print.aspx
            http://www.consumeraffairs.com/online/vistaprint.html

            --- On Wed, 6/19/13, Chris J Brady <chrisjbrady@...> wrote:

            From: Chris J Brady <chrisjbrady@...>
            Subject: Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoo’s Mail users continue reporting hacking incidents - The Next Web
            ...
             
            The vulnerability is that a user having clicked on an embedded URL in an email is taken to a rogue webpage. Or maybe has not even clicked on an embedded URL and in the course of surfing has been  taken to a rogue webpage. This has installed a virus (a snippet of XML / Javascript / whatever / code) onto the user's PC. This is turn sends the the Yahoo cookie file containing the account name and password to the hackers. So it doesn't matter what the password is or when it is changed or how complicated it is the hackers get the latest
            version. 
            ...
          • lena_kiev
            ... Right. ... Right. ... Not cookie, but yahooID and password, not hashed. Then another piece of malware uses a bot in another victim s computer (in a random
            Message 5 of 25 , Jun 19, 2013
            • 0 Attachment
              > From: Chris J Brady <chrisjbrady@...>

              > The hackers of Yahoo accounts are not guys sitting at a PC keyboard
              > randomly typing in characters like the proverbial monkeys typing in
              > the complete works of Shakespeare. Neither is it a computer
              > generating random letter passwords and trying them until one fits.

              Right.

              > The vulnerability is that a user having clicked on an embedded URL
              > in an email is taken to a rogue webpage. Or maybe has not even
              > clicked on an embedded URL and in the course of surfing has
              > been taken to a rogue webpage. This has installed a virus (a
              > snippet of XML / Javascript / whatever / code) onto the user's PC.

              Right.

              > This is turn sends the the Yahoo cookie file containing the account
              > name and password to the hackers.

              Not cookie, but yahooID and password, not hashed.

              Then another piece of malware uses a bot in another victim's computer
              (in a random country) to give the yahooID and password to the
              m.yahoo.com website (for mobile devices) and get an yahoo cookie
              (containing a hash) in return. That leaves a line "Mobile Logged In"
              in first victim's "Recent sign-in activity" (linked from Account Info).
              Then (usually via the same bit, sometimes via another bot in another
              country, but in under a minute) it uses that cookie to access
              regular mail.yahoo.com website to harvest email address from
              letters in Sent and Inbox folder (and possibly Contacts too) and spam them.
              That leaves another line "Mail Access" in first victim's
              "Recent sign-in activity".

              I can't test myself because my country isn't in the list
              (yahoo cannot send me a SMS).
              Please somebody who "Set up your second sign-in verification"
              Sign Out, then on the m.yahoo.com/mail website sign in,
              preferably via another ISP.
              Does the m.yahoo.com website (used by the felon too)
              require to type something from SMS?

              > The virus script does two other things. Periodically - until removed

              Until the password is changed. The trojan which stole the password
              doesn't send the spam, it only phones home the stolen password.

              Another piece of malware does this:

              > it sends an email out - with a one line URL to another roge
              > website - to one, many, all contacts in the user's address book.

              Or/and addresses harvested from letters in Send and Inbox folders.

              > I have not found out how to remove the XML / Javascript / whatever
              > code that represent the virus. Perhaps someone here can say. Virus
              > protection apps will not detect it.

              The felon tests the drive-by exploit kit
              and (stealthy encrypted polymorphic) trojan it installs
              aganinst multiple antiviruses
              and makes sure that the exploit kit and trojan
              can evade or disable all the antiviruses.
              Antivirus vendors lost the war.

              > However I understand that one protection is to ALWAYS log out of a
              > Yahoo session after finishing which apparently then kills the cookie
              > containing the user's account and password.

              The trojan steals password, not cookie. So, to Sign Out is useless
              in this case.
            Your message has been successfully submitted and would be delivered to recipients shortly.