Yahoo email account passwords stolen

I recently (one week ago) activated a new email account with Yahoo, to replace a Gmail account. Despite this is a secondary account for me and even if I have 2 factor auth. enabled, I do see that yahoo is kind of easy target to be hacked...
Anyway, I was not impacted by this hack.

 

From the Techcrunch article linked above:

That means that Yahoo!'s server weren't hacked.

 

Since yesterday night I am locked out. I guess my account it's not hacked, because I have enabled TFA....anyway....it sucks.
I am giving up and back to Gmail with a fresh account. In several years of Gmail this never happened.

 

Not that I disagree with your decision to drop yahoo. How can you be certain that your other accounts have not been hacked? Hackers don't have to lock you out of your account for a breach to occur and two-factor authentication is not bullet-proof. Seems to me, you'd be better off managing your e-mail offline yourself. You really have no control over what happens server side that could result in a breach and client side control is very limited. You can manage your accounts/passwords, but you still need contacts to implement encryption or to avoid messaging personal/sensitive information in-the-clear. Honestly, what company hasn't had some sort of security breach within the last 30 years. Those that claim they haven't, are probably too incompetent to notice or too untrustworthy to be honest with users. This isn't aided by the fact that companies weren't keeping logs longer than a year or two before they realized how widespread breaches have been at least for American Businesses.

If you have to use a third-party provider, then I'd suggest you compartmentalize the types of data you receive across separate accounts/services. We do this to secure our systems, why wouldn't we do the same when managing our electronic communications? Also helps if you don't register with personable information, manage accounts/passwords/messages at non-specific, but regular intervals, employee disposable e-mails to more easily sever account connections, etc. I think the biggest hurtle so far is getting people to embrace proper encryption. Sure you can convince friends sometimes, but what about third-parties. They don't want to jump through hoops to communicate.

On a side note, does it bother anyone else that employers retain your information even if they don't send you a call back? I think the default policy should be to return the forms after 14 business days if process doesn't result in a job. Similar for rejections on user membership into organizations, etc. Long-term data storage may be convenient, but it doesn't help anyone. They are trusted with storing this data long-term and users are essential exposed to identity thief if they fail.

 

Well, it was a guess as I said. I mean, you are right, there is a possibility that the account has been hacked.
On the other hand, the Flickr account associated with that yahoo account is still there and fully working. This is strange, because Flickr relies on the same credentials of yahoo account..
In my view, there is a glitch or something wrong with yahoo mail. What concerns me is that I did not get any feedback from them, yet.
Luckily, the account was quite recent, not many emails stored. I would be disappointed if I lost Flickr pics, though.

Another example: before getting back to Gmail, I set up a new outlook.com account to replace the yahoo one. Well, I set up TFA for increased security. I set it up with google authenticator on my phone. What was really weird (and concerning..) is that when I set up the iphone app to receive outlook emails on the phone...I was not asked for the TFA code. It needed just the account password.
This never happens with Gmail: whenever you access from a new device, it asks for the TFA code. No way.
Thus, I dropped also outlook.

 

outlook: Probably you forgot to fully activate it before testing it. I cannot replicate here. You always asked for the google auth PIN if you access via web or the password (to be generated in outlook.com) via POP or IMAP.

Probably you had the device trusted in outlook already. Remove all permission in outlook and try again

 

As far as I know, when you set up one of your devices to access your outlook.com emails (using POP3 or IMAP) you receive an app password that is different from the main one, so there is no need for TFA in order to configure that device... And that behaviour was the same for GMail. Am I missing something?

 

Yes, you need to generate a password in outlook.com for POP/IMAP and you can have different passwords for each POP/IMAP applications. Google Authenticator is only needed when accessing the e-mail/user account via the web.

The only difference between outlook and gmail is that the latter is more granular in control of application passwords. You can revoke the password per device. E.g. lost your iphone? You revoke the password only for the iphone. In outlook, not (unless they changed recently).

 

Well, I am pretty sure I did not have to put any different password than the account's default one.
To detail the process:

1. Created outlook.com account with PC
2. Enabled TFA: scanned the QR code and activated google authenticator for the outlook account
3. installed on the iphone Cloudmagic: an email client for all major services and any IMAP or POP3 account.
4. Input outlook username and password in Cloudmagic app (I copied the password from Lastpass mobile, the default outlook account password): at this point I was expecting to be asked for the code...but nope. I went through and I could read/write emails on the phone.

In conclusion, I did not generate any specific application password.

 

I think you have missed one or two steps: after having registered in google auth AND turned ON the two steps verification you also need to generate the application password (in outlook.com). From now on the standard password will not work anymore with POP/IMAP access.

If you do not turn ON the two step verification you will not see the option for creating specific applications passwords. Try again and it will work

 

Thanks for your explanation.

 

Yes, I think you are right. I didn't find this to be a problem though

 

news of today: a miracle.
I am back in. Without doing nothing, this morning I was able to log in again. I immediately changed my password, just for safety.