Yahoo Mail Hacked Again – Serious Questions Raised About Its Ability to Protect Users

Yahoo Mail Hacked Again – Serious Questions Raised About Its Ability to Protect Users

Still reeling from a major security breach last month, a fresh report claims that hundreds of Yahoo email accounts have been hacked for the fourth time in as many months, raising serious doubts about the email provider’s ability to protect its customer’s accounts from cybercriminals and malicious spam.

The report comes from the UK’s Channel 4 News, which says that dozens of Yahoo users have complained that their email accounts are still being compromised in exactly the same way as they were during last month’s breach. The hackers, who are believed to be based in Russia, employ a technique that exploits a cross-site scripting (XSS) vulnerability in Yahoo’s email service, hijacking dozens of user accounts and using them to distribute spam across the web.

The attacks may have even began as early as January – back then, The Register reported of a similar breach involving the same XSS vulnerability that Yahoo later claimed to have fixed:

“The cross-site scripting vulnerability that we have identified on Friday was fixed the same day,” a Yahoo spokesperson said at the time. “We can confirm that we’ve now fixed the vulnerability on all versions of the site.”

As it turned out, Yahoo’s efforts failed to deter the hackers for long, with the security firm BitDefender warning in February of what it described as a ‘separate attack’ that took advantage of a buggy version of WordPress on the Yahoo Developers Blog, as well as cross-site scripting flaws and malicious JavaScript. Somewhat embarrassed by the recurring problem, Yahoo was less than forthcoming, merely saying that it was experiencing an XSS problem again. The company failed to confirm or deny if February’s problem was related to the January hacks.

This was followed by the incident in March, during which dozens of Yahoo customers complained of their accounts being hijacked, with spam being sent to their contacts and their passwords changed, locking them out of their accounts.

Speaking to The Register in March, a source from inside Yahoo elaborated on the company’s problems:

“Lots of Yahoo! Mail accounts were broken into last week by computers all over the world. It seems a botnet was used to do it. The hackers might have accessed some of the accounts through Apple iPhone’s Yahoo! Mail app, as account security logs show that as one of the hack entry points.”

Yahoo’s next move was to team up with BT, the UK’s largest telecommunications operator, in an attempt to resolve the problems, yet even now the company is still receiving complaints from its users, who claim their accounts are being hacked again and again.

RELATED ARTICLE:  Menlo Security exits stealth with $25 million to eliminate infected emails

One user told Channel 4 News:

“My mother’s Yahoo! Mail account has been compromised today 25th April 2013. I am very concerned about this – fortunately I have enough knowledge to know not to click on the link but others in her address book may not. This is not acceptable from companies who are making millions of pounds but are leaving their customers in a very vulnerable position.”

Channel 4 news reports that the hackers are still following the same pattern as with previous breaches, logging into the mobile version of Yahoo’s email client, before immediately logging into the same account through a regular browser, then using the hijacked account to send out spam emails advertising a get rich quick scheme.

In response to these latest complaints, Yahoo blurted out the same statement as it did last March, assuring people that it takes “data protection very seriously”, and will prompt users to alter their passwords if they detect anything suspicious.

However, some users have complained that this solution just isn’t working. At least one person told Channel 4 News that their account was still being accessed even after they had changed their password.

“I changed my password, set up the second stage verification log in and have set up a sign-in seal but still my browser is logged in by someone in the Netherlands as we speak!!”

When questioned by Channel 4 News about whether its security settings were also being bypassed by the hackers, Yahoo refused to comment on the matter.

[Update]

 

SiliconANGLE has spent the last two weeks trying to speak to a Yahoo representative about this matter, sadly to no avail. For any seeking assistance to try and mitigate these attacks from happening, read my next post How To Protect Your Yahoo Mail Against Hackers. Alternatively, learn how to switch email providers quickly and easily (keeping all your contacts, old messages, and address intact) in my new post here.

Mike Wheatley

Mike Wheatley is a senior staff writer at SiliconANGLE. He loves to write about Big Data and the Internet of Things, and explore how these technologies are evolving and helping businesses to become more agile.

Before joining SiliconANGLE, Mike was an editor at Argophilia Travel News, an occassional contributer to The Epoch Times, and has also dabbled in SEO and social media marketing. He usually bases himself in Bangkok, Thailand, though he can often be found roaming through the jungles or chilling on a beach.

Got a news story or tip? Email Mike@SiliconANGLE.com.

18 Comments

  1. @Mike_Wheatley  @RogMolina  yes, but should i change who to?

  2. now what do i do?

  3. @RogMolina time for a change perhaps?

  4. @rlmolina @RogMolina Well, the obvious choice would be Gmail or Outlook.com, but if you’re not a fan of Google or Microsoft there are alternatives. Off the top of my head I’d suggest Zoho, Yandex Mail or even download the Thunderbird email client and create an account with them. I’ve used them all before at one time or another, they seem pretty solid. Of course no one is 100% secure from these kinds of hacks!

  5. @Mike_Wheatley  @rlmolina  @RogMolina 
    thank you very much. i’m not a fan of chrome; i downloaded a vris when i downloaded the program, i really appreciate the information.

  6. @rlmolina @RogMolina Same here, I dislike chrome and google in general, but that’s another story :-)
    Anyway, happy to help, hope you can find a more secure alternative.

  7. @rlmolina  @Mike_Wheatley  @RogMolina 
    Chrome is a web browser like internet explorer or firefox, it is distinct from google’s gmail service, signing up for a googlemail account is a very good move and doesn’t require you to make use of chrome. Yahoo are a throwback which unfortunately a lot of us had completely forgotten about, leaving less technically capable users in an unfortunate situation of being pretty much the only ones exposed to exploits targetted at their mail system. Rest assured that is anything of this sort happened to gmail there’d be absolute uproar and massive publicity.

  8. Make sure you explain to me that you’re going to preserve this up! Its so very good and so critical. I cant wait around to read much more from you. I just feel like you know so a lot and know how to make men and women listen to what you have to say. This website is just as well amazing to be skipped. Great things, really. You should, You should keep it up!

  9. Hi there, I was really encouraged to uncover this internet site. The purpose becoming that this is these kinds of an useful submit.Genuinely great blog keep it up.

  10. Don’t know if this is part of the ‘hacking’ going on, but for the past week, I haven’t been able to access the Yahoo Mail Server on my computer at work – no matter what browser I use. Strangely enough I have no problem getting Yahoo Mail on my cell phone, however. After all the security breaches I am pretty convinced to move my mail to another account permanently – although I’m worried that in doing so I’ll compromise the new account if I move my existing e-mails. Any thoughts on this?

  11. @ithinkican2 I shouldn’t think moving your existing emails would be a problem, as your old Yahoo account will be unable to access the new account, rather, it would be the other way around

  12. 5/3/13 Spam was sent yesterday to many people in my Yahoo address book.  For the last 10 days or so I have been getting persistent pop-up ads that can be temporarily hidden but can’t be dismissed. Among other things, the pop-up promote a knock-off of Adobe Flash Player. I’m also getting warnings from my AVG virus detector on many pages I open with the Yahoo IE browser. Finally, pages that I open have many words with underlined links. The yahoo ceo and staff will have plenty of time to make babies after all their users leave.

  13. Ive been suffering from this since January. I too have created a sign in seal and changed my password and am STILL getting spam continuously sent! This is my professional e-mail. Unprofessional!

  14. My yahoo!  mail has been freezing and not allowing me to open, send, and properly send all emails. . . could my account have been hacked?!   Either way, does anyone have an email address for Yahoo! Customer Care/Support so that I can use a different email to get their help?

  15. @RoxanneWilmath I hate to break it to you, but using Yahoo or the like as your professional email is not professional either.

  16. @VictoriaBluestone Sorry Victoria, can’t help you there. Tried looking but it seems like Yahoo really don’t wanna be talking to anyone. I suggest you consider changing to something like Hushmail.com instead of Yahoo!

  17. hi does anyone know, whom do I need to report to, my account has been hacked and I cannot access it anymore. Please someone let me know who can I email to get access to my email. My temporary email address is .
    I would appreciate if someone could email me an answer.
    Cheers Guys!

  18. Here’s your answer.  Why wouldn’t Yahoo just assist me with trying to track down a Technical Support Officer who was so great in assisting me because I could not log back in.  I just could not understand why they were asking for money to make my computer more safe.  Oh that’s right, I was trying to track down this person after he kindly gave me his name and number.  So calling him back to verify I was hacked after he asssited with realising my terrible predicament.  I thought, these Yahoo people are switched on.  I did acually get a hold of a Yahoo staff member, just treated like trash.  The one positive thing I did gain from the call is I was finally told the truth.  This guy did not work for Yahoo, but that’s ok, because I only had to wait a week of having no idea because I am not savvy with I.T.  When people don’t know if you are being genuine when they ask for assistance to work out what is really going on that is affecting their life so much, thats like leaving someone in hanging in limbo. That incident became a domino affect for me with trying to figure things out instead of someone informing me of the truth.  So yes, I am verifying I did gain access back into my Yahoo account on the correct page.  I know what happened now. I did not enter the email incorrectly, as your Technical Support Officer so polietely informd me.  Be more professional and you may actually find out there is a duplicate of your log in page floating around, including a number in which someone answers, amazing.  You have the rest of the details. I have worked out enough for you guys.  Do you job!  As your clients state, start thinking about them. Thank you for your quick assistance in ensuring me it was just a scam and not something else, like hacking!

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>