Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: Yahoo account hacked  (Read 18290 times)

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Yahoo account hacked
« on: April 25, 2013, 08:20:33 PM »

This morning I logged into a rarely used yahoo account.   Twenty minutes later, somebody from Georgia logged in and spammed all my contacts.   It won't have done them much good as the only contacts were me and myself, at different addresses, but it was certainly hacked as can be seen from the 'recent logins' page.

Now... I like to get to the bottom of these things.   Do I have to assume that machine I logged in from has been compromised?   It was my Mac and, whilst OS/X is not immune to nasties, it is a smaller target than Microsoft and so probability is reduced.

Any opinions welcome.

7LM
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Yahoo account hacked
« Reply #1 on: April 25, 2013, 10:08:59 PM »

With apologies for the monologue, I may have a partial explanation as to why the hack seemed to triggered by an actual login.

..Yahoo has only just started supporting SSL, and it's not on by default!  >:(

See http://help.yahoo.com/kb/index?locale=en_US&y=PROD_MAIL_ML&page=content&id=SLN3610

However, SSL was already in use for the login page, so I still can't figure out how they got my password.   One useful feature of Yahoo is the 'recent activity' page, which clearly show the hacker logging  in from an IP in Georgia, so they clearly the did get that password.  Which has now of course been changed, using a different browser in a different PC.

There's not an awful lot of choice when it comes to AV software for MAC, so I have downloaded a trial Kaspersky and will do a full scan overnight.
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Yahoo account hacked
« Reply #2 on: April 26, 2013, 01:13:56 AM »

I cant comment on the o/s although there are keyloggers out there for Macs that could be introduced via malicious means.

I know that years ago, the most common reason for yahoo mail accounts being hacked was brute force (bots) on the password - paticularly so if your user name was something that could be in demand.

However, I find it strange that the attack was triggered shortly after your own log in... more so if its one that youve not logged in to for a while...  to me this would imply some sort of phishing sceme.

Just to check, how did you login...  was it via a bookmark...  or via an email link?
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Yahoo account hacked
« Reply #3 on: April 26, 2013, 01:25:21 AM »

Hmmm...   on reflection it looks like your yahoo account has been hacked by this recent attack.   The report is sketchy on details (probably for obvious reasons) but at a guess it would appear the fault lies with something on the yahoo servers. 

I would have hoped that yahoo would have identified the compromised accounts and advised their users.     Out of interest, once youd logged in to your mail, did you look at any emails that may have been a tad strange.

http://www.channel4.com/news/yahoos-email-system-hacked-by-criminal-spammers


-----------


Ive since seen a few reports that Mac users are being affected, and also that changing your password doesnt always help.   Looks like yahoo mail may have a big problem atm :(

eg
http://uk.answers.yahoo.com/question/index?qid=20130316172423AAh2tfD


It would seem that yahoo says its plugged the leak, but according to the following it would appear not and users accounts are still being compromised :(

http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/?fromcat=all

This (to me) would seem to point to the fact that somewhere in your yahoo mailbox there was a corrupt mail just waiting to be opened.
« Last Edit: April 26, 2013, 01:40:06 AM by kitz »
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Yahoo account hacked
« Reply #4 on: April 26, 2013, 08:18:13 AM »

Hi Kitz,

I'm also thinking it might be some kind of fishing or man in the middle.   In fact I logged in by typing 'yahoo.co.uk' into the address bar.  I have checked the browser history and there is no sign of any spelling mistakes.

That yahoo account is so rarely used that it hasn't even seen any spam, ever.   I created it as a means to access a 'group' somebody set up as a notice board for former colleagues, but the only thing I use the mail for is to prove receipt when I make any changes to other accounts.  Yesterday I tweaked a google apps account then posted a test message to yahoo, logged in and saw it was there, and that was that.

My Kaspersky scan on the Mac ran for many hours, but finished overnight with no nasties found.   I don't really care about the Yahoo account, but a keylogger on the Mac would be devastating.

Can't help thinking my case does so seem to be so tightly defined and recorded, amid so many other similar hackings, as to point to the possibility that yahoo's servers may be nternally compromised, or some kind of DNS redirection took place.   There is no obvious way of contacting them to tell them about it, but I guess they would probably already know, even if they didn't publicly admit it.

As an amusing aside... That Channel 4 article looked interesting, and he was inviting people affected to get in touch.   I don't do twitter ( :) ) so I sent an email to channel 4's published 'news' email adress, which was promptly returned with an error saying their mailbox was 'over its quota'. :D

edit; removed and explicit email address that I probably oughtn't have quoted  :-[
« Last Edit: April 26, 2013, 11:52:55 AM by sevenlayermuddle »
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Yahoo account hacked
« Reply #5 on: April 26, 2013, 08:44:40 AM »

Incidentally, that Channel 4 story does seem to be spot on.

My hacker's IP address was reported as 'Georgia', not entirely unrelated in my mind (notwithstanding political differences and warfare, no offence intended  :o) to what they said, 'Russian Federation'.   And they logged in via Yahoo mobile, same as in the news story, and various other reports I've seen.

The single spam that was sent to all of my contacts was a badly mis spelled 'hello' as subject, and contained a fake story about some work from home scheme with a false hyperlink ( which of course I have not clicked), similar to that described.
Logged

renluop

  • Kitizen
  • ****
  • Posts: 3326
Re: Yahoo account hacked
« Reply #6 on: April 26, 2013, 09:02:37 AM »

Not just Geotgia I'd guess. A friend, user of BT Internet "sent" me and others a similar message.
A free analyser traced apparent source to Thailand.

BTW/OT Forgetttery allowed me to forget what I used! :o
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Yahoo account hacked
« Reply #7 on: April 26, 2013, 10:15:13 AM »

Hmmm, another sinister sign...

When Composimg an email using my main mail interface, Thunderbird's IMAP, even though the mail was sent it has suddenly started asking for passwords that it should not need (it has it's own password manager).   My hunch is that is likely to just be the new kaspersky putting a spanner in the works, but it could also be something horrible.

I have pulled the lan cable (and disable wi fi), and revoked the google apps passwords that were assigned to Thunderbird while I think what to do, but I fear a complete reinstall of OS/X is the only thing that'll let me sleep at night  :(

edit: fix my garbled grammar
« Last Edit: April 26, 2013, 11:21:47 AM by sevenlayermuddle »
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Yahoo account hacked
« Reply #8 on: April 26, 2013, 12:52:30 PM »

Hunch says it won't be OSX.

It's Yahoo that isn't fessing up to the cause of the problem. This is leaving everyone, including you, with headaches as to how it happened, with everyone blaming the security of their own PCs.  Best guess is that Yahoo's servers have been hacked (again).

cheers, a
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Yahoo account hacked
« Reply #9 on: April 26, 2013, 01:58:34 PM »

Hunch says it won't be OSX.

It's Yahoo that isn't fessing up to the cause of the problem. This is leaving everyone, including you, with headaches as to how it happened, with everyone blaming the security of their own PCs.  Best guess is that Yahoo's servers have been hacked (again).

cheers, a

Totally agree with your hunch, but I don't want to take any chances at all, however remote they may be.   That Mac is my iOS development machine which, if my Apps ever made any money (fat chance  :D ) would be my pension.   

I've pretty much decided on the re-install.   If nothing else it'll satisfy a long-standing curiousity as to how much grief a new machine would entail.   I'm doing a backup now of all the user data I think I'll need, let's see how much I overlook    :'(

The most precious commodity - my source code - is actually held on a separate SVN server, and mail is online at google, so in theory it should be reconstructable even if I do screw up. 
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Yahoo account hacked
« Reply #10 on: April 26, 2013, 03:13:46 PM »

You're right. Wise move!  There's no point taking the risk and just hoping for the best.  Sounds like you have it all in order!  I only use a Yahoo account for a Yahoo group/mailing list, and it's absolutely flooded with spam and various phishing scams!  Something of a bad omen!

cheers, a
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Yahoo account hacked
« Reply #11 on: April 26, 2013, 10:19:51 PM »

Hunch says it won't be OSX.

It's Yahoo that isn't fessing up to the cause of the problem. This is leaving everyone, including you, with headaches as to how it happened, with everyone blaming the security of their own PCs.  Best guess is that Yahoo's servers have been hacked (again).

cheers, a

I would wholeheartedly agree.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

HPsauce

  • Helpful
  • Kitizen
  • *
  • Posts: 2606
Re: Yahoo account hacked
« Reply #12 on: April 26, 2013, 10:26:08 PM »

I don't know what's going on but several of my customers have had problems with Yahoo in recent days.
The worst was a new (well recent, live for some weeks now) BT internet customer whose email account was just not set up by Yahoo.
It took over an hour on the phone by me (they're in their 80's) to sort out a new email account and link it to their BT account; the one allocated and notified to them by BT never was set up. No explanation, no apology, no compensation.  >:D
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Yahoo account hacked
« Reply #13 on: April 26, 2013, 10:42:56 PM »

Pondering these events during a long soak in the bath, another factor crystalised.

Many of the news stories talked of how this hacker deleted the contacts list after the attack.  That did not happen in my case; when I logged in to investigate about 7 hours after the hack, the first thing I did was to check my contacts to see if it had changed.   It hadn't, just four different addresses for myself, as expected.

But another few hours later, the prophecy was fulfilled, my contacts list was empty.

One possible explanation for this would be that Yahoo are actively monitoring for evidence of this hacker and, after they detect his/her exploits, they themselves may be actively deleting users' contact lists to thwart any repeated spam releases.   That would be significant, as it would imply Yahoo are more aware of the whole issue, and more troubled by it, than has been apparent in most of their press releases.   :hmm:
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Yahoo account hacked
« Reply #14 on: April 26, 2013, 11:21:58 PM »

>>> they themselves may be actively deleting users' contact lists to thwart any repeated spam releases

I dont think that they would do that...  especially since this is part of the original exploit anyhow.  :no:

I really do think Yahoo has a much more serious problem than they care to admit.   Last nite when I was googling, I came across the actual source code that the hacker had written, it was late and I didnt pursue any further, aside from a quick scan.    As mentioned I didnt look properly, but I wouldnt be surprised if somehow the session data was being compromised.   This could also explain why the contacts disappeared later... ie when the session expired...  it is about the only way I can think of as to how the hacker is so freely and easily getting so many passwords.

When you look at the report that came with the source, the hacker said something about how an earlier XSS exploit from a previous year had been patched.. but not properly... which allowed him to tweak his code and still gain access.   I suspect that Yahoo may have either been lazy again with a patch, or their servers are seriously compromised. (possibly both!).

Looking around the net, there does seem to be a wave of new users reporting this same problem now in April :(
« Last Edit: April 26, 2013, 11:25:53 PM by kitz »
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker
Pages: [1] 2
 

anything