Yahoo Mail accounts continue to be hacked despite 'fixes'

Despite Yahoo's efforts to fix 'vulnerabilities', mail users have continued to see their accounts hacked. The company says two isolated security holes have been rectified, but the problems persist.

For months accounts have been compromised, typically receiving seemingly legitimate emails which contain dangerous links. Once clicked, accounts are hijacked and used to send similarly harming messages, usually to as many email addresses as are in the contact list, The Next Web reports.

The problems that users have been experiencing were initially reported in early January, with Yahoo soon admitting security flaws and attempting to rectify them.

Back in January, Shahin Ramezany, an independent hacker, posted a YouTube video demonstrating the way in which a Yahoo account can be compromised by "leveraging a DOM-based cross-site scripting (XSS) vulnerability exploitable in all major browsers". The same day Yahoo sent two statements to media outlets, initially confirming the flaw then following up by reporting the issue was fixed. However, users have outlined identical issues in the past few days.

On further investigation, the full scale of the issues becomes apparent - these are well orchestrated attacks on vulnerable users. The Next Web offers one user's experience with the issue:

We were hacked at the end of January. They spammed everyone in the "contact" folder and deleted all the contacts. We just had another yahoo account hacked yesterday. Not only did it spam the entire "contact" folder, but we are unable to send out e-mails or access our "secret question" to change the password.

There was a toll free number to call and when we did we spoke with people who spoke very poor English, and they asked us for a one time fee of $100 for assistance with the issue. When we refused they hung up on us. We called the number twice, the first time we spoke with a woman and the second time we called and we spoke with a man. Both times we called when we refused the payment of $100 we were hung up on.

(To clarify, the seemingly unhelpful Yahoo support advisor who answered the phone was in fact part of the scamming operation.)

Behind Microsoft and Google, Yahoo is the third largest email provider in the world. Even with a small percentage of accounts are affected, this can account for millions of users having their personal information shared, stolen and exposed.

Given the clear lack of a fix for the issue, despite Yahoo's assurances all is well, the company may see a large decline in users in the coming weeks.

Source: The Next WebImage: TheBoxHouston

Report a problem with article
Previous Story

From The Forums: Was Windows Vista really that bad?

Next Story

Mozilla: No iOS app until Apple opens up

24 Comments

Commenting is disabled on this article.

While it's all nothing but conjecture at this point, there is another potential explanation for these Yahoo account breaches, which has nothing to do with vulnerabilities with Yahoo's email web hack....

The Yahoo acct breaches could be the result of another big site's breach!

So how could another site breach result in stolen Yahoo accts? Simple. Many ppl use the same credentials on all web sites, and email addresses are often used for login names. There have been many user credential breaches lately. For instance, the big Evernote breach that leaked details about 50 million users. These leaks tend to give the attack many ppls usernames (which is often an email address, such as you yahoo.com email address), and the hashed password for that user. There are many tools to crack hashed passwords. While salted hash tables fair better against brute force, and long passwords help, attackers can probably still extract many credentials for these breaches. Since most ppl use the same password everywhere (very bad practice!), some other's companies data leak could result in attackers gaining access to the yahoo accts (as well as many other web accts) of those victims.

Just wanted to point this out since this sort of account hijacking may be the result of many things... not just a flaw in the yahoo web mail app.

Cheers,
Corey

It's not just Yahoo with this problem it's also anyone using telecom NZ as an ISP and uses their email as they partnered with yahoo to provide their email services.... So if you get email from some xtra.co.nz address it's probably an hacked account aswell

Both mine and my mom's Yahoo! accounts were hacked at some point, without clicking on links. It never happened to either Hotmail or Gmail. When you contacted Yahoo they'll tell you it's all your fault, since their server is so safe, must be the customer giving out their password.

my account was recently hacked...luckily i use this the account for spam so not much loss but still its scary.

Here's what it showed from my login activity page:

Mar 5, 2013 11:26 AM Yahoo! Mobile Logged In Venezuela

Glenn Mangham (aka Gammarays), the guy who hacked Facebook a few years ago, has compromised Yahoo's servers in the past at least a few times that I know of. He actually had administrator-level access where he could take over anyone's account or deactivate IDs - he even hacked the Yahoo! Messenger Blog at least once in an effort to get Yahoo! to fix their stuff, which of course they didn't. He used to hang out in the Hackers' Lounge chat rooms with his friends who also exploited Yahoo! in various ways. I'm guessing these days people trying to exploit Yahoo! are using Yahoo! Japan's servers since unlike the US servers they aren't patched when vulnerabilities are fixed - in fact they're a few years behind compared to the rest of the world. Seriously, they are. There's entire communities out there focused on exploiting Yahoo!. So no, articles like these don't surprise me. There's some of us whom have KNOWN about how crappy Yahoo! and security has been for years now. It's been going on actively for over a decade!

Moral of the story? Yahoo's easily one of the more insecure sites/services out there right now due to their lazy handling on security issues as they arise. Do NOT even use any of their services if you can. Say whatever you want about Microsoft or Google, but if I had to choose between them and Yahoo!, I'd easily choose one of the other two.

As a consultant of Yahoo, I can tell you that Marissa Mayer has a policy of not caring if data get hacks. They think that they are big enough recover and don't care of they loose some users.

Ridiculous.

I've had my account hijacked without me clicking on any links - and my account has a unique, complex password. There's certainly more issues with it than they're saying...

Same here. Many people have been sending me emails telling me that I'm sending them spam, which I wasn't aware of. Yahoo really need to stop this...

Yep,
Been happening for longer than the beginning of the year also. A niece of mine has had to change her password a couple times, just this year though. I know her family isn't the most cautious on the net though.

I've used Yahoo mail since 1997 and I haven't ever been told I'm sending anything to anyone, but that's me! Their mail has DEFINITELY gone WAY down hill for quite some time now. Could almost tempt me to use that way inferior crap Gmail!!

Actually, there's no way in the world I'd EVER use Gmail as one of my main e-mails though. That things been a POS since day one!

~Johnny said,
I've had my account hijacked without me clicking on any links - and my account has a unique, complex password. There's certainly more issues with it than they're saying...
My GF's account was compromised yesterday, and her password is unique/complex too, and she claims she didn't click any links

This artical is mistaken.. You don't need to click any link to get your account compromised.. I have a yahoo account that doesn't get used.. Hasn't in years and email were sent from it.. I would suggest that either their password database was compromised or their whole system is like Swiss cheese. Even Rogers emails are compromised..

R3DL1N3 said,
This artical is mistaken.. You don't need to click any link to get your account compromised.. I have a yahoo account that doesn't get used.. Hasn't in years and email were sent from it.. I would suggest that either their password database was compromised or their whole system is like Swiss cheese. Even Rogers emails are compromised..

The same thing happened to me so I decided just to close the account.

In the examples given, these users had to click a link before the problems began. In other cases however, you may not have needed to click a malicious link.

No.. it's not spoofing.. emails were sent as me to people who where in the yahoo contact list only.. (and sent folder).. Also Yahoo has a login console which show who and from where someone logged into my account.. Since I'm not in Romania.. and my password is over 10 chars and very complex.. I can assure you they have a MAJOR security breach on their hands.. yet not one word from yahoo to their clients about this..

Most people who use Yahoo Messenger don't realize they have an email box. I've got maybe 4-5 Yahoo handles because I hate getting kicked off because I'm on a certain computer or tablet. been doing it for years. best thing is to get like roboform and use a password generator. then alas only roboform knows my password so thus it's hard to crack it. at least my main account. Meanwhile I notified my dad his had been hacked and sent it out to several people down the his email list... After reading it here I'd remembered it was here , yes other sites had it earlier but only pay attention to this one and BN.. and neowin is usually slightly less confrontational on it's news although the comments are silly based on old news. yeah well old news is only old news if you've heard it before

"For months accounts have been compromised, typically receiving seemingly legitimate emails which contain dangerous links.".

I always thought this was phishing, not hacking.