Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[geep]

Hi,
Just received strange emails in my main email purporting to come from my yahoo email.
And sure enough I can see that some Argy b*****d has logged in 3 times in the last minutes and sent emails to various newsgroups and forums for which I use the yahoo account.

Have changed my password and complained to Yahoo. And what a performance that is.
My main email has a - in it, which Yahoo cheerfully accept elsewhere but not when you want to report a problem - "Illegal character" or some such rot.
And why the hell can't they ask me for a UK dd/mm/yyyy date, not US mm/dd/yyyy.
It took several attempts before I realised that error.

Rant over.
Cheers, as always,
Peter

[sevenlayermuddle]

Sympathies, Peter.

Coincidentally, today I noticed what appears to be (but might not be) a genuine email from yahoo, advertising an iPhone app for yahoo mail, with a link to find out more.

If it was genuinely from Yahoo, it would appear to suggest they think their users should sometimes trust email links.          That would then suggest to me an enourmous gulf between real world risks, and their own basic perception of online security.  That very attitude might explain why they are such easy pickings for hackers.

[geep]

Now I just received a strange email from a friend's aol.com email which I am guessing has been hacked too.
This friend is not in my hacked yahoo account address book, so I don't think it's related to my being hacked into.

I think yahoo and aol merged a while back, so I'm guessing that they both have the same email software.

The email just contains the title "hello!"  and a strange looking url which is a .php script - just like the emails that came from my yahoo account - but different url - although it is again a Argy address.
Have the Argies started a cyber war over the Falklands?

The email was copied to several other people.

Cheers,
Peter

[chrissie]

Not been on for a few days so only just seen this.  My yahoo was hacked last week and I only knew because one of the mail addresses (only had 8 in there) was spammed with a link.  Yahoo informed me by mail(!) and the log page showed hack was from Russia.  I changed the password and so far, all ok atm...but have removed all names from address book just in case.  The thing I was teed off about was THEY had changed from the old classic mail to the new one and I hate it! I know yahoo are eventually going to change it all over but I would have liked to have overseen that myself!

Must admit I'm really getting teed off with the filth out there ruining the "pleasure" of people who find the internet a wonderful thing to be able to use....this world would be great without (some) humans! 

Edited later......uggerme!  Another of my yahoo accounts has just been hacked!!!  Again containing link, luckily it was blocked from a couple of contacts seeing they were businesses...but it got thru to one of my Hotmail accounts <spit>.  How do they do this??   Yahoo picked up on this again because of "unrecognised device" used this account...so at least they knew about it but why aren't they trying to stop it all happening (or can't they?)

[kitz]

I typed a longish reply to this the other day, but because I was on the ipad and tried to add a link - it lost the whole post...  grrr.  ..   i think it went something along the lines of....

I read somewhere that very soon after 7LM reported on here, that Yahoo admitted that they had been compromised again.  As usual they didnt say too much other than change and use strong passwords.

From what I recall they admitted 'an attack on their servers' via a blackberry or iphone (one of the two, cant recall which now). 
This immediately struck me as being a bit odd, because a mobile device is certainly not what you would use to brute force passwords!  IMHO it would be more likely used to change some server settings or re-configuring some info on their servers.  To me this implies that they have some sort of backdoor into yahoo.

What Yahoo dont seem to recognise (or wont acknowledge) is that the password doesnt really seem to be the issue for many of the accounts being hacked... nor does changing password seem to resolve it...  iirc we discussed this in the other thread how this could occur.  The hackers certainly are using some sort of XSS attack based on session cookies exploiting a flaw in the Yahoo library code base.

These attacks have been going on for months, each time yahoo making tiny patches, which the hackers then seem to get around. 
Its a typical horse/stable/bolted approach where yahoo are only closing each stable door after each horse has bolted...  rather than thinking ahead and bolting each and every door before the horse gets loose.

This is getting a bit silly now and yahoo dont seem to be learning.   If it was me... I would hire the guy who discovered the exploit in the first place... and pay him to sit there and try find all the open doors... or is that too simple?

[sevenlayermuddle]

From what I recall they admitted 'an attack on their servers' via a blackberry or iphone (one of the two, cant recall which now). 

In my case there is sort of truth in that.   In the log, I saw a login at 'yahoo mobile' quickly followed by a normal login, from the same Georgia IP address.

But I didn't  think that necessarily suggested a mobile device played any part, I assumed it may just suggest that the precice vulnerability requires them for some reason to hit the mobile server before the full web server?

[chrissie]

All too technical for me  but both times Yahoo have mailed the addresses with security email saying this account was accessed by another device (or words in that vein) so they obviously know it's not from my computer but then I guess the IP gives that away anyway.

Lots of people are having problems with it - even Freecycle where spam is being sent from people's mail account.... as I say all too technical for lil ole me but one thing I do know, the ruddy internet is a whole new ball game since I "joined" some 11 yrs ago when it seemed much more secure!  Mind you, I could even be wrong on that one...someone will put me right no doubt 

[kitz]

>>> I assumed it may just suggest that the precice vulnerability requires them for some reason to hit the mobile server before the full web server?

You are probably correct. I read it a few weeks ago and cant recall the details now.

>>>  both times Yahoo have mailed the addresses with security email saying this account was accessed by another device

Curious... where did they send that mail to... ie did they send it to your 'hacked' email address?

[chrissie]

>>> I assumed it may just suggest that the precice vulnerability requires them for some reason to hit the mobile server before the full web server?

You are probably correct. I read it a few weeks ago and cant recall the details now.

>>>  both times Yahoo have mailed the addresses with security email saying this account was accessed by another device

Curious... where did they send that mail to... ie did they send it to your 'hacked' email address?

Yes both were to the hacked email addresses which I must admit I found strange at the time especially if the hackers were still able to get in when the mails were sent.  The following are part of the emails....

Hi C,  We detected a login attempt with valid password to your Yahoo! account (******) from an unrecognized device on Wed, Apr 24, 2013 12:27 PM YEKST.  Location: Russia (IP=84.254.200.92)  Note: The location is based on information from your Internet service or wireless carrier provider.

Was this you? If so, you can disregard the rest of this email.  If this wasn't you, please follow the links below to protect your Yahoo! account information from potential future account compromise:
------------------------------
Hi C,    We detected a login attempt with valid password to your Yahoo! account (*******) from an unrecognised device on Tue, May 14, 2013 15:17 ICT.   Location: Thailand (IP=118.174.115.219)

(the rest as above)

Oh!  Just checked and they sent the above to secondary email...so p'raps no big deal?

[broadstairs]

A couple of friends of mine recently had their accounts hacked as well and they were using a browser to handle all their email via webmail, not using an email client like Outlook or Thunderbird. In their cases it was suspected that an exploit in a browser or infected webpage may have allowed capture of their account details. I advised them to use an email client in future as it is generally more secure than webmail because of these browser exploits.

I would always advise that email be accessed by a client program rather than a browser as it is generally much safer. Of course if the problem was Yahoo servers being hacked then this will not prevent the problem.

Stuart

[sevenlayermuddle]

Hi C,  We detected a login attempt with valid password to your Yahoo! account (******)

Personally, I'd say that was BS.

It's highly unlikely anybody used your password, they simply used an exploit that allowed them to steal your session.

Sorry if that sounds confusing, the distinction is (what follows is my Opinion)...

1) Don't assume, as Yahoo! would infer, it's your own fault for choosing a weak password.
and
2) The hackers very likely never did know your password, they simply 'tricked' the servers to impersonate you after you've already logged in.  So changing it is optional - though you certainly ought to do so, as it will do no harm and you can never be sure.
and
3) Don't assume, as Yahoo! might infer, that a different, stronger, password will stop the same thing happening tomorrow.   
and
4) This is ALL Yahoo!'s fault, not yours.

[kitz]

Totally agree 7LM ^


Btw.. found this which contains some interesting info about the XSS attack type on Yahoo....



 and also this

The vulnerability apparently came about because Yahoo failed to keep its blog software up to date - a widely recognised security hole on the Yahoo sub-domain, developer.yahoo.com, which had been around for almost nine months.

.../snip/...

The security hole allowed the hackers to plant a script on the developer site that could read the Yahoo login cookie from any browser, anywhere, which would then be sent ''home'' to the hacker, Mr Matthews says.

With access to those details, full control meant the victim's Yahoo - and YahooXtra - email accounts were at their mercy. All a customer had to do to be vulnerable was log in to Yahoo or YahooXtra in the past year and tick the ''remember me'' password box. It made no difference if the account hadn't been used in months.


.../snip/....

''Contrary to reports, changing your password really isn't going to help in this case [although it may have killed the cookie depending on Yahoo's setup] and updating virus protection wouldn't help either.

So just imagine the mess if someone was able to use the above exploit and have extended Abyssec's mention of a non click  method.

There are way too many people reporting not having clicked anything...  the constant wave of attacks each and every month - despite members changing passwords...  means that Yahoo appear to have a very serious issue on their hands.

Ironically this could have been avoided if they had done any of the following

1. Yahoo had kept their software up to date
2. They tackled the exploits correctly instead of patching up with sticky tape.
3. They offered a 'bounty scheme' whereby the hacker could have got say $1000 for reporting it... rather than selling it on the black hat market.

[sheddyian]

Yesterday I returned two repaired computers to a friend, she told me she'd recently received spam email from two different friends/relatives, and did this mean that their computers had a virus? 

I asked if they were Yahoo mail accounts,and it turned out they were.

One of the accounts she knew the password for, because she'd set it up originally, so we logged on, and were prompted by Yahoo that unusual activity had been detected, and we had to change the password.  This we did.

When we looked at the account activity, it had been logged into via mobile phone and then immediately afterwards/at the same time via web interface.  The mobile log in and the web login were from two different foreign countries.  A bit later there was a 3rd login from a 3rd country.

I regret that I didn't take notes, but I believe the countries involved were Russia,  Turkey and Venezuela, but I might be remembering wrongly.

Anyway, this is just a note to say the hacking is still going on - these logins were 2 or 3 days ago.

Ian