Michael Wolraich's picture

    Who Hijacked Yahoo Mail?

    This morning, I emailed everyone I know to try to sell them Viagra. Ex-bosses, ex-friends, ex-random-people-that-I-met-once-in-a-cafe, and ex-girlfriends (who really don't want to hear from me, let alone buy Viagra from me).

    Sorry.

    I didn't mean to. In fact, I don't remember doing it. But the incriminating evidence is sitting in my Yahoo "Sent Mail" folder. Six emails sent collectively to everyone in my contacts list between 10:09 and 10:10 am. All hocking Viagra.

    How could this have happened? After several hours of research and several more hours of head scratching, not including a quick lunch break, three bathroom trips (#1, #1, #2), and half-an-hour to figure out how to change my email password, I've narrowed it down to five possibilities:

    1. My computer has virus. This might seem like the most likely possibility, since the newly discovered Kneber bot apparently loves to steal Yahoo email passwords. But the Kneber bot targets PCs, and I have a Mac. Moreover, the only known Mac OS X virus is a pathetic iChat trojan horse that wouldn't recognize a Yahoo email password if you tweeted, "Hey virus, my yahoo email password is onenutgenghis73."

    2. I got hacked. Unlikely, since I don't give my password out and certainly don't publish it on the Internet where some Viagra-spammer could find on it. Plus, it has numbers and other confusing things in it.

    3. Yahoo got hacked. Possible, especially since my Mac-owning ex-girlfriend also tried to sell me Viagra last week via Yahoo mail. But you'd think that Yahoo getting hacked would be all over the news, and I've found nothing so far.

    4. I checked my email from an infected PC. In all seriousness, this seems the most probable cause, given the Kneber bot's password-stealing proclivities, even though I rarely check email from other computers.

    5. I was drunk. Possible but unlikely, even for me, at 10 in the morning. Hocking Viagra would also be atypical behavior for me to do while drunk. Had my emails included pictures of my head photoshopped onto the bodies of various celebrities, porn stars, and furry animals, it would be a different matter.

    So the mystery continues. If your email or facebook account has been hacked recently, please speak up in the comments so that we can get to the bottom of this.

    And if you just want Viagra, please send me a private comment. I'll add you to my contact list.

    ------------------------------------------------------------------------------------------------

    Update 9/20/10: I wrote this article in February 2010. Since then, it has been read by over 35,000 people, making it the most popular article in the history of this blog. Clearly, Yahoo suffered and perhaps continues to suffer from major security breaches which the company has yet to acknowledge. For speculation about the source of the breach and tips for protecting yourself, keep scrolling. (And if you're into left-leaning American politics, please check out our home page: http://dagblog.com.)

    ------------------------------------------------------------------------------------------------

    Update 5/29/10: Commenter Spagnonymous found an article from SC Magazine that points to the likely source of the security breach:

    9/21/09 A widespread brute-force attack against Yahoo email users aims to obtain login credentials and then use the hijacked accounts for spamming, a researcher at Breach Security disclosed last week.

    ------------------------------------------------------------------------------------------------

    Update 5/29/10: I'm going to share the recommendations from Jeannette below. Some of these might be overkill. I have had no issue with any Yahoo services besides email. But at the very least, I recommend deleting your online contacts.

    If you want to still keep you Yahoo account open for some reason, here are some precautions:

    --strip the account of your personal info. Real name, adress, anything. Birthday. Really poke around in Yahoo. You may be surprised at the information you have given them.

    --See what security questions you've given yahoo. Change them to inaccurate answers and write them down somewhere so you don't forget.

    --strip the account of all folders, inbox, sent emails, drafts, everything. You don't want them havng the verification code for your gmail account, or worse.

    --Double delete your contacts. Even if deleted, they are still there. Poke around in the contacts pane.

    --Did you ever pay Yahoo for anything? Mail Plus? Personals? Pay Flickr Pro through Yahoo? Then you have a Yahoo Wallet. This is bad. Find it and strip it of credit card info.

    --Um, you don't have Yahoo Paypal Checkout or Yahoo Express Checkout through My Yahoo, do you? Well, now they do, too.

    --what email addres did you give Yahoo as your password recovery address? Is that a secure provider? Does that account have a unique, very strong password?

    ------------------------------------------------------------------------------------------------

    Update 3/12/10: So I've been going back and forth with Yahoo Customer Care to try to find out how my account was hacked. I faxed them written permission, answered security questions, etc. Customer Care then accessed my account and did nothing but reset my password. That's a bit strange in itself because I'm sure that Yahoo doesn't need written permission to reset a password.

    In any case, I was looking for information, not a password reset, so I explained, again, that I wanted to find out how my account had been hacked and requested any information that they had.

    Now here's the punchline--they won't tell me. To get information about my own account, I have to go through the legal department and may require a subpoena. This is starting to smell.

    I'm going to get some legal advice and will follow up when I get more information. The edited email chain is below.

    --------------------------------

    Hello, Michael

    We'd like to apologize for any inconvenience that has been caused while
    you help us verify the information that is listed on your account.

    We've created a temporary password which will help you regain access
    right away!

    Your new password is: ***************

    Again, we do apologize for the inconvenience this situation has caused.
    Please let us know if there's anything else we can do.

    Your patience is greatly appreciated.

    Thank you again for contacting Yahoo! Account Services.

    Regards,
    Jake

    Account Security E2ENG

    Yahoo! Customer Care

    New and Improved Yahoo! Mail - better than ever!

    --------------------------------

    Hello, Jake. Thank you for looking into my problem. However, resetting  
    my password was not the issue. I did that myself as soon as I realized  
    that my account had been compromised.

    I contacted Yahoo to determine how my account had been hijacked in  
    order to make sure that my information is safe. Were you able to  
    determine how the hackers gained access to my account? As I mentioned  
    in my email, I use a Mac, and I don't believe that there are any Mac  
    viruses that can capture passwords from keystrokes.

    Thanks,
    Mike

    --------------------------------

    Hello Mike,

    Thank you for contacting Yahoo! Customer Care.

    We apologize for the previous misunderstanding.

    It is our understanding that you would like information from Yahoo!
    regarding access to your account.

    State and Federal laws strictly limit the information that online
    service providers, like Yahoo!, may disclose about subscribers. If you
    are seeking to obtain account information on a specific subscriber, we
    will need a subpoena or a court order.

    If you have obtained a subpoena or a court order for the release of
    information, please mail it to:

    Yahoo! Custodian of Records
    701 First Avenue
    Sunnyvale, CA 94089

    Thank you again for contacting Yahoo! Customer Care.

    Regards,

    Jane

    Yahoo! Customer Care

    New and Improved Yahoo! Mail - better than ever!

    --------------------------------

    Hello Jane, I'm very confused now. I asked for information about only  
    my own account. My mail account was used by a third party to send  
    soliciting emails without my knowledge or consent. I would like to  
    know how a third party gained access to my account so that I can  
    protect myself from the loss of privacy. I am a paying yahoo customer,  
    and I think it's reasonable to request any information you have about  
    how my account was hijacked without my having to obtain a subpoena.

    Thank you for your assistance,

    Mike

    --------------------------------

    Hello Mike,

    Thank you for writing to Yahoo! Account Services.

    We'd like to apologize for any inconvenience that our process for
    attaining the information you've requested may cause.

    If you would like to attain access logs and activity records for your
    own account, we will need you to contact our Yahoo! Custodian of Records
    department. Unfortunately, our Yahoo! Account Security team does not
    have access to these records.

    To disclose log information and access data, we may require a subpoena
    or other legal documentation. Send all such requests in writing to:

    Yahoo! Custodian of Records
    701 First Avenue
    Sunnyvale, CA 94089-1019

    For information regarding subpoenas or court orders, please call:

    (408) 349-3687

    If you prefer, you may fax questions to the Yahoo! legal department at:

    (408) 349-7941

    or submit them to us by mail to:

    Yahoo! Inc.
    Attn: Legal Department
    701 First Avenue
    Sunnyvale, CA 94089

    Again, we do apologize for the inconvenience this situation has caused.
    Please let us know if there's anything else we can do.

    Your patience is greatly appreciated.

    Thank you again for contacting Yahoo! Account Services.

    Regards,

    Jake

    Account Security E2Y

    Yahoo! Customer Care

    New and Improved Yahoo! Mail - better than ever!

    ------------------------------------------------------------------------------------------------

    Update 5/29/10:I filed a complaint with the Better Business Bureau in San Jose, CA. That didn't get me anywhere either. But here it is for your reading pleasure.

    Complaint Summary

    My paid email account was hijacked by a third party. Yahoo will provide no information to me about how the hijacking occurred.

    Resolution Sought

    I would like Yahoo to provide me any information that it has on how a third party obtained access to my email account, whether my private data has been compromised, and how I can protect myself from a similar attack in the future.

    Company's Initial Response - Posted 04/29/2010

    We understand that you would like to know how your account was accessed. To disclose log information and access data, we may require a subpoena or other legal documentation. Send all such requests in writing to: Yahoo! Custodian of Records 701 First Avenue Sunnyvale, CA 94089-1019 If you are concerned about safeguarding the privacy and security of your Yahoo! account, please refer to the following guidelines: * Always sign out when you are finished using your account. This is especially important if you use a public or shared computer. To sign out of your account, click the "Sign Out" link, located at the top of the page. (If you have clicked on the "Remember my ID on this computer" box, signing out will disable that option.) You may also want to completely exit the browser you have been using. * Choose your password wisely. Choose a Yahoo! password which you will remember, but which cannot be easily guessed, even by those who know you. It is very important to keep your password private at all times. Use a complex password that is a mixture of upper and lowercase letters, numbers, and symbols. * Change your password when necessary. If, at any time, you become concerned about the security of your password, you can always change it online. Just sign in to your Yahoo! account, and click on the "Account Info" or "My Account" link, located at the top of most pages you visit at Yahoo!. Re-enter your password to continue, and click on the "Change Password" link on your Account Information page. You will then be asked to enter your current password, a new password, and then to confirm your new password. Once you've filled in these fields, click the "Save" button to put the change into effect. * Choose your Security Question and Secret Answer wisely. If you gave us a Security Question and Secret Answer during registration, be sure that you have chosen a Secret Answer that you will definitely remember, but which will also be difficult for others to guess from your Security Question. (Remember, it's possible for anyone who knows your Yahoo! ID, birthday, and ZIP/Postal code to see what your Security Question is.) * You can update your Security Questions and Secret Answers by accessing your "Account Information" page. 1.Sign into your Yahoo! account. 2.Click on your name at the top of the page and select "Account Info" from the pull-down list. You will be required to verify your current password. 3.Under "Sign-In and Security," click "Update password - reset info." 4.You can choose one of the security questions we have made available or your can choose your own. 5.Be sure to click "Save" after you have provided your new information. Please note that: - The security questions must be 5 to 100 characters in length, and may only contain letters and numbers. - The answers to your questions must be 4 to 32 characters in length, and may only contain letters and numbers. - The security question cannot contain the answer. - The security questions cannot be the same. - The answers to your two security questions cannot be the same. * Clear your browser's cache. Doing this will remove the possibility that another user on the same computer could use the browser's "Back" button or "History" function to view any of the contents of your account. Please note: Your Yahoo! ID and password are your own confidential information. No Yahoo! employee will ever ask you for your password in an unsolicited phone call or email message. If you are ever asked for your password in an unsolicited manner, or by someone you do not believe to be a representative of Yahoo!, please do not share your password with them, and ask them the reason for asking. For additional information on ways to protect your information online, please visit the Yahoo! Security Center at: http://security.yahoo.com

    Initial Response Summary

    Account access was restored to customer. Yahoo! cannot determine if any data was accessed in the account. Provided customer with security tips.

    Consumer's Rebuttal - Posted 05/06/2010

    This response is unsatisfactory and offers nothing that I have not already been told by Yahoo Customer Care. The generic security tips are available on Yahoo's website. My password and secret answers already follow their recommendations. Therefore, the information provides me no assistance in avoiding a similar event in the future. Furthermore, since Yahoo has provided no information about the manner in which the account was accessed, I cannot ascertain whether the hackers were able to access my private data other than my contacts list. Yahoo reiterated that I must file a subpoena in order to learn any information about this breach of my account, an unreasonable demand, since the cost of obtaining a subpoena is prohibitive, and I have not asked for any proprietary information about any account other than my own. Though I am a paying customer of some 10 years, Yahoo refuses to give me reasonable information to help me protect myself.

    Company's Final Response - Posted 05/07/2010

    Our previous response stands as is. Based on our investigation, there is no other information we are able to offer as to how the account was compromised. Access logs will require a subpoena.

    Comments

    This exact thing just happened to me on my yahoo account this past weekend.  I am horrified.  People are sending me emails asking me what I am sending them and why I keep sending them emails.  I tried to explain to them that I didn't send them anything.  I had looked in my spam folder and found these emails for Canadian Pharmacy and Viagra.  I had to delete all the contacts I had. I am really upset.  I don't understand how this can happen!!  I had a very secure password.  I couldn't even get into my account when I tried I had to mark it as compromised and change the password again.  This is crazy! People don't even believe me when I say I didn't email them.

    Jill


    I find this hilarious. Everyone I know who has a Yahoo account has had it hacked in the last six months, and I've never had my GMail account compromised in my life. 

    My wife, like you, was exclusively accessing her yahoo through a mac, and one of the other people I know of who had the problem is a fellow senior IT engineer at my network firm.

    Yahoo has a problem, all right.


     

    Happened to me for the first time that I know of - and it's Feb 2012 now!
     
    No idea how they hacked in, but I understand there are a myriad of avenues.
     
    My contacts in my Yahoo contacts list get spammed - consisting of just a spam link. The sent spam is sitting in my Yahoo sent folder. There's even one in my drafts folder. Yahoo "Recent Login Activiy" shows login by the hacker bots about just once a week via "Yahoo Mobile" rather than using a "browser" - from networks of overseas countries (probably via proxy) such as Colombia, Germany and Brazil.
     
    I've found out on the Web that Gmail accounts have been hacked in the same way.


    Received this PM.
    source is 46.204.91.169 in Poland
    See whois below


    Received: from [46.204.91.169] by web36107.mail.mud.yahoo.com via HTTP; Tue, 07 Feb 2012 14:22:56 PST

    X-Mailer: YahooMailWebService/0.8.116.33153
    7
    Message-ID: <[email protected]
    >
    Date: Tue, 7 Feb 2012 14:22:56 -0800 (PST)

    2/07/12 15:49:39 whois [email protected]

    whois -h whois.ripe.net 46.204.91.169 ...
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf

    % Note: this output has been filtered.
    %       To receive output for a database update, use the "-B" flag.

    % Information related to '46.204.0.0 - 46.204.255.255'

    inetnum:        46.204.0.0 - 46.204.255.255
    netname:        ERANET
    descr:          blueconnect
    country:        PL
    admin-c:        Pa5691-RIPE
    tech-c:         Po1778-RIPE
    status:         ASSIGNED PA
    mnt-by:         AS12912-MNT
    mnt-lower:      AS12912-MNT
    mnt-routes:     AS12912-MNT
    source:         RIPE # Filtered

    role:            PTC admins
    address:         Polska Telefonia Cyfrowa S.A.
    address:         Al. Jerozolimskie 181
    address:         02-222 Warszawa
    admin-c:         SJ1601-RIPE
    admin-c:         ST1900-RIPE
    abuse-mailbox:   [email protected]
    mnt-by:          AS12912-MNT
    tech-c:          SJ1601-RIPE
    nic-hdl:         Pa5691-RIPE
    source:          RIPE # Filtered

    role:            PTC operations
    address:         Polska Telefonia Cyfrowa S.A.
    address:         Al. Jerozolimskie 181
    address:         02-222 Warszawa
    mnt-by:          AS12912-MNT
    abuse-mailbox:   [email protected]
    admin-c:         SJ1601-RIPE
    tech-c:          PH1700-RIPE
    nic-hdl:         Po1778-RIPE
    source:          RIPE # Filtered


    It is very unsettling to see this same attack has happened over and over and over again and still yahoo has not accepted any responsibility. It is as if they are saying "complain all you want , if you don't like us leave. We are so big and popular that we will just laugh all your complaints off all the way to the bank" Hackers or no as long as we keep putting up with crappy service and you all know yahoo really has a problem with customer service, they will continue to avoid any expense of rectifying any of these issues.


    I'm so happy I found this article. I have had yahoo for over 10 years and last night had something similar happen. I had only checked my email from my phone and my work email...where as the email "spam" was sent out overnight/early this morning. I started contacting friends to let them know and found out a few other yahoo users had this happen to them. So whatever the issue with yahoo security is, it hasn't gotten addressed. It is still a problem over 2 years later. I deleted my account. That was an incredibly embarassing situation. Oh, it wasn't advertising viagra. It was something else (winning/making $ or something)...and the email login originated in Germany.

    My parents are Mac users, and they too have this issue where their yahoo mail account has been sending out spam on their behalf.  We tried changing passwords, that worked for a while but came back.  I've checked their Mac for viruses, found none.  Not sure how this issue is occuring. 


    I too fell for this trap and everyone in my yahoo email address book was sent the same message after I had gone to bed.  It happened on May 22, and I only found out about it the next day when coworkers alerted me to it.

    I traced the original email to one I had gotten from a  friend the night before.  The email  was titled "HEY" and I opened it around 10 pm May 22, 2012.  It contained nothing else but a link to an article at ww.inews15tn.net/jobs (WARNING: I believe inews.net is the problem, DON'T GO THERE or click any link to it or you could get hacked too. I just checked the 8 emails sent by the hack and they all contain slightly different links like inews115ta or inews15wn, but all being a variation of ww.inews.net).

    So, stupidly without suspecting anything malicious, I clicked the link from within that yahoo email and it contained an article about making money at home which I read.  I then shut down my computer around 11pm that night and went to bed. The next day ,May 23, at 9am is when I was told by coworkers of my strange emails to them. 

    I immediately checked my Yahoo sent folder and saw my account had sent 8 email messages all titled "HELLO" ,all at 11:24pm May 22, and spread out amongst the people in my address book. Thank goodness the hacker wasn't smart enough to delete these messages from my sent folder.  Today, May 28, I checked my Yahoo recent sign-in activity, however, the info only went as far back as May 24.  I should have checked sooner, but I too just discovered this informative blog.

    As far as my response to this email hack.  On May 23, I copied & pasted all the names from those 8 bogus emails and sent them all warnings to delete any email from me titled  "HELLO" and especially not to click the link at the bottom of the email if they had already opened it.  Since I don't have an antivirus program, I downloaded and ran AVG antivirus.  It detected about 5 Trojan Horse viruses.  Since I had already changed my Yahoo password a few days ago, I decided to change it again after AVG removed those viruses.

    I have since investigated the suspect URL by right-clicking it and selecting Inspect Element, and then clicking HTML.  Near the bottom, this line intrigues me:

    form id=metaform , action=http//f1606.mail.yahoo.com/80ws/mail.....appid=YahooMailClassic&wsid...

    My question to you computer experts out there is who is f1606? And is this type of hack more susceptible to people, including myself, who use Yahoo Mail classic?

     


     

    Hello, Mike!We are happy to inform you that here at Yahoo,  we have received a new shipment of Viagra. So now there is no limitation on how many pills you can order for yourself or to share with all your email contacts including ex-girlfriends.

    Yahoo has been always proud of  it's customer service.  Please let us know if you are interested in other products, pills extending your arms, whatever. 

    Also, since you are a paying customer we would like to inform you of extra security measures we take now for your safety.    From now on, if you want to check your outstanding balance you will have to provide a court subpoena. Or simply wait for notices from a collection agency. We hope you will find this as a minor inconvenience.  

    Jane
    Yahoo! Customer Care

    New and Improved Yahoo! Mail - better than ever! ever, ever, ever...

     


    I've skimmed through al the responses here and am surprised to see that no one has mentioned the Yahoo account info where you can check locations logged in from.  From all the accounts I've seen which have been hacked, you'll find an entry from Romania, Vietnam, Mexico, or another obviously unusual location.  To get to this log into my.yahoo.com, click on your login name near the upper left and choose "account info", then click "View your recent sign-in activity".  It's astonishing that Yahoo isn't putting extra security in place when a login occurs from someplace never before logged in, especially when it's simultaneous or in close proximity to a login from the usual location.


    This issue is driving me nuts.  I too have a mac and mainly get spam emails from my own email address, though sometimes the email does go out to others.  I've had this address for 8 years and it's linked to business and person stuff so I don't want to delete it.  I've run every virus software I can, changed passwords a dozen times, checked the login locations (nothing fishy there), and can only think they have a key logger or alternatively they're just sending email using my email address because it's not actually going FROM my account.   In other words, these emails aren't in my outbox, it's just that they've hijacked my email name.  Regardless, they suck, I hate them - whoever they are.  :(


    Hi, Mike,

    This is extremely helpful. I've been having this issue. Here's what I know:

    1 (800) 318-0631 is the Yahoo! help # I called. Ironically I think I spoke to "Jake." Approximately 1-2 mo ago. 

    He said there's known malware going after yahoo mail accounts. If you don't log out at night, they access your security questions. 

     

    I have only one PC. So I replaced it with another Mac. 
     
    Still had the problem. 

    Ran ClamXav and did find one on my oldest ('06) MacBook. Quarantined it. 

    Temporarily helped. 

    Read up and found you should delete Java (which is not same as JavaScript). 

    Apparently, this software isn't necessary and is the easiest way for letting in  malware on a Mac. AND, while java7 is supposed to fix that you have to have a 64-bit browser. Chrome is only 32. 

    I deleted Java off the new Mac. Need to check the old one and another one. 

    However, I only have this problem after I email from the old Mac --the one where I found malware. So there may be more malware there. 

    I am going to delete Norton anything off all my Macs. Others are right. It only hurts. 

    I'm going to delete all Java (not JavaScript) apps on every computer I own.

    BUT I WILL NEVER DELETE THE YAHOO ACCOUNT. 

    Why? Yahoo is recycling old addresses. So anyone who sends anything to your account  (bc they don't have your new email) will be sending it to the NEW owner of your recycled email address. 

    If it comes to it, I will forward to another email while I arrange to change every place I've ordered from, etc., to go to my new NON yahoo address. 

    Some of my hacked recipients were not saved as contacts, so that won't help. 

    I am considering rewriting the oldest ('06) Marc's hard drive. I will if the other steps don't fix it. 

    I hope this helps someone. It's been a nightmare. 

     

     


    Thank you, Jane. It's amazing that this is still happening 3.5 years after it hit me. Very good point about the recycled email addresses.


    Pages

    Latest Comments