Yahoo Security

Yahoo Password Hacked!

Yahoo Password Hacked!

If you subscribe to APeX’s Yahoo mailing lists, you may have occasionally noticed spam links posted by other members of the group.  This page gives you some important information about this problem, and how to prevent yourself from becoming a victim.

First, never click on these or any other suspicious looking link in an email or mailing list posting, even if the message claims to be from somebody you know.  Clicking on these links often spreads malware to your computer which can cause you to become a victim and start sending spam in your name.

Second, these emails are not actually sent by the people they claim to be, so this is not something that you should ever hold against the sender of these messages.  The sender has been victimized by a hacker.

So where do these emails come from?

Hackers can gain access to your Yahoo account several ways.  The most common is if your account has an easily guessable password OR easily guessable password reset challenge questions.  Another possibility is through malware either running on the victim’s computer or temporarily injected into their browser using a technique called cross-site scripting.

The protection against the first case is easy and something you should do with every online account you have.  Choose a difficult to guess password for your account.  You could choose a long random sequence of letters and numbers or possibly a sentence made up of several words.  You should never use a single word found in a dictionary, anything based on your username, real name, children, pets, etc.

In addition to your password, you must also be sure to select difficult to guess answers for your password reset questions.  In some cases, this might mean you need to enter an answer that isn’t actually true, but is safer.  As an example, if a challenge question is, “What’s your favorite place to vacation?” many people from the Albany area might enter “Florida” or “Hawaii” or “Maine”.  An attacker can easily guess many of these answers across a wide number of accounts and eventually find a correct answer and gain access to the account.  To be safe, you should choose an answer that’s extremely specific to you or completely made up.  Something like “under the palm tree in vegas” or “xanadu” would be safer.

The other class of attack (cross-site scripting or XSS) has nothing to do with your password and is more difficult to defend against.  These attacks usually depend on security vulnerabilities in Yahoo itself or other websites you might visit.  The best defense against this type of attack is to Log Out of your Yahoo account whenever you’re not actively using Yahoo services like email or groups.

This attack can also frequently happen if you login to your Yahoo account from a public computer such as at a library or coffee shop. These computers might be compromised with key loggers that report any passwords entered on them to an attacker somewhere else.  If at all possible, avoid  using public computers for anything with a password, and only login to Yahoo from computers you own or have full control over.

You can also gain a significant amount of protection by using browser extensions like AdBlock or NoScript, but these are unfortunately somewhat complicated to configure and not a good solution for many people.

How can I tell if my account has been hacked?
If you see a spam message on the mailing list from yourself, that’s probably a bad sign…  Attackers usually send messages out to all addresses in the victim’s address book as soon as they crack an account.  You can look on Yahoo’s site to see if someone other than yourself has accessed your account.  Go to and mouse-over your username in the upper left corner.  Choose Account Info.

[Note you can click on images below for a larger version.]

Account Info

Account Info Link

From the list of options, the first thing you should choose is “View your recent sign-in activity.” (#1 on the picture below)

Account Info Options

Account Info Options

This screen will show you recent logins to your account:

Account Activity

Account Activity – Outside the US & “Partner” applications are trouble

Under Location, check to see if any locations are listed outside of the US. These are red-flags of a compromised account. Note that locations out of New York state can be normal if you use a cell phone to access your account. Sprint for example often shows up as being in Illinois.

Under Access Type, any entries for “Yahoo! Partner’s Application” are definite signs of trouble. If you see any of these, you should go Back to Account Info and choose the “Manage Apps and Website Connections” option (#4 on the picture above). You need to click the Remove link for the Yahoo! partner’s Application as well as any others that you might not recognize.

Authorized Apps - Remove anything you don't recognize

Authorized Apps – Remove anything you don’t recognize

In most cases when an attacker compromises an account, they will try to keep access to it by setting password reset questions to their own values. If you change your password, they can just reset it back. From the Account Info screen, choose “Update password-reset info” (#3) and reset your questions to something difficult to guess. Also make sure that any emails or phone numbers on that page belong to you. A common trick is for an attacker to setup a Gmail or Hotmail account that’s different from your own account by only a letter or two and change your reset email to that hoping you won’t notice the difference, so look carefully!

Once password reset questions are fixed up, you should change your password to something difficult to guess.

Low hanging fruit

Unfortunately none of these protections are 100% certain to keep your account safe.   but computer security is about adding layers of protection in the hope that not all of them will fall at once.

Hackers are generally interested not in your specific Yahoo account, but only in obtaining access to some number of accounts so that they can use them to send spam and malware.  By using strong passwords and reset questions, you ensure that your account isn’t the low-hanging fruit that they find first.  Odds are they’ll give up and move on to somebody else.

Leave a Reply