Almost three weeks after we first reported on Yahoo’s inability to protect its customers from being hacked, it seems that the email provider is no closer to coming up with an effective solution – or even admitting that it has a problem in the first place.
You can read my original post on the subject here, but the short story is that Russian hackers have employed a technique that exploits a cross-site scripting (XSS) vulnerability to hack thousands of Yahoo mail accounts over the last few months. Once compromised, the accounts are then used to distribute spam messages advertising a “get rich quick” scheme to every contact in the hacked account’s address book.
The attacks were first reported in January, and though Yahoo claimed to have fixed the vulnerability shortly afterwards, similar hacks were reported in March and then again in April, leading to serious concerns and doubts over Yahoo’s ability to protect its customers. Even worse, after first acknowledging the problem, Yahoo now appears to be ignoring it altogether – I have made several attempts to contact the company through various sources for a comment, so far to no avail.
With Yahoo seemingly unwilling, or more likely, unable to help its customers, many users have been asking me for advice on what they can do to better protect their accounts. The situation isn’t helped by the apparent lack of any advanced security settings option within Yahoo Mail itself, but through a little digging around I have been able to come up with some suggestions.
Three Steps To Secure Yahoo Mail (Sort Of)
Choose a SECURE password:
This cannot be emphasized enough. Do not choose a password that could be easy for anyone to guess. Ideally, you should use a secure password manager for you, something like RoboForm or KeePassX are good choices, as these will generate a password that’s far more difficult for hackers to crack. However, if you must choose your password by yourself, be sure not to go for anything obvious. Do not use any recognizable word, or even something that’s not a word but can still be pronounced. Instead, choose a random string of numbers, letters, and other characters, and be sure to change your password REGULARLY (like, once a month)
Don’t Answer Security Questions Truthfully:
When Vice-President hopeful Sarah Palin’s email account was famously hacked back in 2009, the hacker gained access simply by performing a Google search to find the answer to the question “where did you meet your spouse?”. What with most of us having Facebook and other social media accounts these days, and in many cases having our personal details plastered all over our company websites, it’s all too easy for hackers to find the answers to basic questions about you, which are often the same kinds of questions that Yahoo Mail will ask. So instead of entering your real school or mother’s maiden name, choose a totally random answer instead.
Use Two-Step Verification:
Most people probably don’t realize, but Yahoo now offers two-step authentication. Unfortunately, its bizarre decision not to include security settings within Yahoo Mail itself means that few people actually know where to find it or how to set it up. It’s not at all easy to find, but after some considerable effort I did eventually manage to track down the relevant page, and discovered that you can set up Second Sign-In Verification here (you’ll need to verify your password again). Once enabled, any time you’re prompted to enter your Yahoo password from an unrecognized device, you’ll also be asked to enter a code that’s sent to your phone via SMS, or alternatively answer a security question.
By following these three steps you’ll be doing just about everything you can to protect your account from being hacked. Of course, in cases where cybercriminals appear to be using highly sophisticated techniques (as Yahoo’s Russian hackers appear to do), even these steps may not be enough. In that case, I’d suggest giving serious consideration to ditching Yahoo for good, and signing up for Gmail, Outlook.com, or better still, an encrypted email provider such as Hushmail.com.