Yahoo email account passwords stolen

Discussion in 'other security issues & news' started by ronjor, Jan 30, 2014.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    http://abcnews.go.com/Technology/wireStory/yahoo-email-account-passwords-stolen-22305108
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    http://techcrunch.com/2014/01/30/ya...-on-yahoo-mail-resets-all-affected-passwords/
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
  4. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    I recently (one week ago) activated a new email account with Yahoo, to replace a Gmail account. Despite this is a secondary account for me and even if I have 2 factor auth. enabled, I do see that yahoo is kind of easy target to be hacked...
    Anyway, I was not impacted by this hack.
     
  5. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    From the Techcrunch article linked above:
    That means that Yahoo!'s server weren't hacked.
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    http://www.net-security.org/secworld.php?id=16290
     
  7. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Since yesterday night I am locked out. I guess my account it's not hacked, because I have enabled TFA....anyway....it sucks.
    I am giving up and back to Gmail with a fresh account. In several years of Gmail this never happened.
     
  8. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    Not that I disagree with your decision to drop yahoo. How can you be certain that your other accounts have not been hacked? Hackers don't have to lock you out of your account for a breach to occur and two-factor authentication is not bullet-proof. Seems to me, you'd be better off managing your e-mail offline yourself. You really have no control over what happens server side that could result in a breach and client side control is very limited. You can manage your accounts/passwords, but you still need contacts to implement encryption or to avoid messaging personal/sensitive information in-the-clear. Honestly, what company hasn't had some sort of security breach within the last 30 years. Those that claim they haven't, are probably too incompetent to notice or too untrustworthy to be honest with users. This isn't aided by the fact that companies weren't keeping logs longer than a year or two before they realized how widespread breaches have been at least for American Businesses.

    If you have to use a third-party provider, then I'd suggest you compartmentalize the types of data you receive across separate accounts/services. We do this to secure our systems, why wouldn't we do the same when managing our electronic communications? Also helps if you don't register with personable information, manage accounts/passwords/messages at non-specific, but regular intervals, employee disposable e-mails to more easily sever account connections, etc. I think the biggest hurtle so far is getting people to embrace proper encryption. Sure you can convince friends sometimes, but what about third-parties. They don't want to jump through hoops to communicate.

    On a side note, does it bother anyone else that employers retain your information even if they don't send you a call back? I think the default policy should be to return the forms after 14 business days if process doesn't result in a job. Similar for rejections on user membership into organizations, etc. Long-term data storage may be convenient, but it doesn't help anyone. They are trusted with storing this data long-term and users are essential exposed to identity thief if they fail.
     
  9. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Well, it was a guess as I said. I mean, you are right, there is a possibility that the account has been hacked.
    On the other hand, the Flickr account associated with that yahoo account is still there and fully working. This is strange, because Flickr relies on the same credentials of yahoo account..
    In my view, there is a glitch or something wrong with yahoo mail. What concerns me is that I did not get any feedback from them, yet.
    Luckily, the account was quite recent, not many emails stored. I would be disappointed if I lost Flickr pics, though.

    Another example: before getting back to Gmail, I set up a new outlook.com account to replace the yahoo one. Well, I set up TFA for increased security. I set it up with google authenticator on my phone. What was really weird (and concerning..) is that when I set up the iphone app to receive outlook emails on the phone...I was not asked for the TFA code. It needed just the account password.
    This never happens with Gmail: whenever you access from a new device, it asks for the TFA code. No way.
    Thus, I dropped also outlook.
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    outlook: Probably you forgot to fully activate it before testing it. I cannot replicate here. You always asked for the google auth PIN if you access via web or the password (to be generated in outlook.com) via POP or IMAP.

    Probably you had the device trusted in outlook already. Remove all permission in outlook and try again ;)
     
  11. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    As far as I know, when you set up one of your devices to access your outlook.com emails (using POP3 or IMAP) you receive an app password that is different from the main one, so there is no need for TFA in order to configure that device... And that behaviour was the same for GMail. Am I missing something?
     
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Yes, you need to generate a password in outlook.com for POP/IMAP and you can have different passwords for each POP/IMAP applications. Google Authenticator is only needed when accessing the e-mail/user account via the web.

    The only difference between outlook and gmail is that the latter is more granular in control of application passwords. You can revoke the password per device. E.g. lost your iphone? You revoke the password only for the iphone. In outlook, not (unless they changed recently).
     
  13. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Well, I am pretty sure I did not have to put any different password than the account's default one.
    To detail the process:

    1. Created outlook.com account with PC
    2. Enabled TFA: scanned the QR code and activated google authenticator for the outlook account
    3. installed on the iphone Cloudmagic: an email client for all major services and any IMAP or POP3 account.
    4. Input outlook username and password in Cloudmagic app (I copied the password from Lastpass mobile, the default outlook account password): at this point I was expecting to be asked for the code...but nope. I went through and I could read/write emails on the phone.

    In conclusion, I did not generate any specific application password.
     
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    I think you have missed one or two steps: after having registered in google auth AND turned ON the two steps verification you also need to generate the application password (in outlook.com). From now on the standard password will not work anymore with POP/IMAP access. :)

    If you do not turn ON the two step verification you will not see the option for creating specific applications passwords. Try again and it will work ;)
     
  15. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Thanks for your explanation.
     
  16. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Yes, I think you are right. I didn't find this to be a problem though :)
     
  17. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    news of today: a miracle.
    I am back in. Without doing nothing, this morning I was able to log in again. I immediately changed my password, just for safety.
     
Loading...
Thread Status:
Not open for further replies.