Last week,  my partner had her  Yahoo email account  hacked. We spent the entire weekend on the phone with ebay and ebuyer trying to sort things out.

That is someone got the password and/or security question right and consequently went in and changed the password and security questions. She is now locked out of Yahoo email and cannot get into asses the damage.

On the surface this would seem trivial - "its just an email account ... not a bank account"...
However the offender now has access to all my passwords and username for every site that she has ever registered, or purchased from. Including some which retain payment details for credit cards or similar.

After faxing a passport copy to ebay and about 3 hours phone calls and emails. Ebay have finally advised that someone has been bidding using her account and payment details, on several products. They wont say which products or even disclose an IP address to us.
All of this is extremely painful and annoying. We are unsure of how much fraud may have been attempted beyond ebay and ebuyer. What other sites do they have access to now?

My point is that this is happening and Yahoo have not bothered to send us a sensible reply within 72 hours. We keep getting the same hopeless people at Yahoo sending non-sensical standard replies and meanwhile her online identity has been hijacked. As yet its impossible to determine how or why or even who.

I have no idea if this was a brute force attack or someone who had access to our private documents that you might find if you went through our rubbish bins.

The overriding point is that free email providers have a reasonable obligation (irrespecitve of what it says on their legal mumbo jumbo) to assist and respond in a manner that is fair to its users.

I have been reading more and more and this is not uncommon amongst other Yahoo email users.
http://jeremy.zawodny.com/blog/archives/002912.html
http://yahoo.weblogsinc.com/2006/04/29/stolen-yahoo-accounts-what-to-do/

You have been warned.

I would invite someone at Yahoo to get in contact me with outside this forum to assist with this issue. If this happens I will be updating this issue.

Jon

One thing that can be done is to convince certain sites that their 'invite your contacts' functionality is VERY bad practice.

It works like this. I sign up at a site (usually a myspace wannabe site) and at the end of the process I am invited to submit my yahoo/hotmail/aol login details so that they can 'harvest' contact details and send off an automated invitation to all.

I'm not saying that such sites collect this information to fraudulent use. In fact, they're open about such functionality. The danger, however, is that it effectively tells users that it's OK to share login details of other sites.

Who's to stop someone to put up a mock myspace-type just for that purpose?

On 20:10:24 26 February 2007 JonBov wrote:

Update: I have since been contacted by Yahoo UK within a matter of hours of this posting.
Account has been restored. Hats off to Yahoo for a professional response. Im sorry I had to post it here to get the action needed.

Im still waiting on the IP of the offender, however I know for certain where they are based after reading through her inbox.
We have one email from someone in the USA selling a PSP which the fraudster won. The email goes like this "Hi, i have just been in contact with UPS. Its going to cost $250 to send it to Nigeria". Suprise suprise!

So this still highlights the following area of concern to us all
1. What onus if any, is on the free ESP/ISP to provide us with exceptional customer support for circumstances like this? I would certainly pay a nominal fee to speak to someone in an emergency.
2. What else needs to be done to improve security? God knows how someone in Nigeria got the user/pass combination correct???
3. What are the implications of cross site security. Ie. If someone gets into your email - what are the knock on effects to other sites ala ebay, paypal etc?
4. What are the implications of systems like MSN/Hotmail Passport - with one username/password combination for EVERYTHING!!??
5. This probably isnt a UK specific incident so what police force do i report this to? or do i? or more importantly can I??

Lots to consider. Again, thanks to Yahoo for seeing this through to conclusion. It could have been much worse.

jon

On 13:38:45 26 February 2007 JonBov wrote:

Last week,  my partner had her  Yahoo email account  hacked. We spent the entire weekend on the phone with ebay and ebuyer trying to sort things out.

That is someone got the password and/or security question right and consequently went in and changed the password and security questions. She is now locked out of Yahoo email and cannot get into asses the damage.

On the surface this would seem trivial - "its just an email account ... not a bank account"...
However the offender now has access to all my passwords and username for every site that she has ever registered, or purchased from. Including some which retain payment details for credit cards or similar.

After faxing a passport copy to ebay and about 3 hours phone calls and emails. Ebay have finally advised that someone has been bidding using her account and payment details, on several products. They wont say which products or even disclose an IP address to us.
All of this is extremely painful and annoying. We are unsure of how much fraud may have been attempted beyond ebay and ebuyer. What other sites do they have access to now?

My point is that this is happening and Yahoo have not bothered to send us a sensible reply within 72 hours. We keep getting the same hopeless people at Yahoo sending non-sensical standard replies and meanwhile her online identity has been hijacked. As yet its impossible to determine how or why or even who.

I have no idea if this was a brute force attack or someone who had access to our private documents that you might find if you went through our rubbish bins.

The overriding point is that free email providers have a reasonable obligation (irrespecitve of what it says on their legal mumbo jumbo) to assist and respond in a manner that is fair to its users.

I have been reading more and more and this is not uncommon amongst other Yahoo email users.
http://jeremy.zawodny.com/blog/archives/002912.html
http://yahoo.weblogsinc.com/2006/04/29/stolen-yahoo-accounts-what-to-do/

You have been warned.

I would invite someone at Yahoo to get in contact me with outside this forum to assist with this issue. If this happens I will be updating this issue.

Jon

Greetings,

This exact scenario happened to me twice last year.  The first time, I was able to generate a new random password and have it sent to the secondary email address that I had associated with the account.  When I logged in using that email, it kicked the hacker out of my account and I was able to immediately cancel an Amazon.com order that he had already placed using my profile.  I closed my Amazon.com account, removed all of my credit card profile data from PayPal, and changed the password on my Yahoo account.  I thought that would be the end of it.  It wasn't.

A month later, I received another email notice at my secondary address that my Yahoo password had been changed, only to find that Yahoo had removed the automatic password generation feature as an option.  This time, the perpetrator immediately started changing the answers to all of my security questions, effectively locking me out of my account.  I spent a week corresponding with Yahoo to try and recover my account, and received the same string of nonsensical form emails from unsympathetic customer service reps who refused to look into the situation because I could only answer 7 of the 8 security questions that they made me provide them "correctly" (via unsecure email no less).  I am still completely at a loss for why the record for my favorite pet's name didn't match the answer that I always give... it almost makes me think that this was an inside job.

Needless to say, I wasn't able to recover the Yahoo account that I've had for 8 years and lost most of my personal contacts.  I changed all of my passwords and the email addresses associated with every site I correspond with.  To this day, I still monitor all of my accounts for fraudulent activity and no longer store any credit card information in e-Commerce sites that could be linked to a web-based email account.  I am furious with Yahoo for not enabling me to recover my account and have subsequently opened a Gmail account.

I sympathize with everything you're going through and wanted to let you know that you're not alone.  I'm not sure why we were targeted or how they selected our names/accounts, but I would caution everyone who has a Yahoo account to be wary of this dangerous security flaw in their system.

Kristin Hersant
Redwood City, CA, USA

On 03:35:51 4 March 2007 khersant wrote:

Greetings,

This exact scenario happened to me twice last year.  The first time, I was able to generate a new random password and have it sent to the secondary email address that I had associated with the account.  When I logged in using that email, it kicked the hacker out of my account and I was able to immediately cancel an Amazon.com order that he had already placed using my profile.  I closed my Amazon.com account, removed all of my credit card profile data from PayPal, and changed the password on my Yahoo account.  I thought that would be the end of it.  It wasn't.

A month later, I received another email notice at my secondary address that my Yahoo password had been changed, only to find that Yahoo had removed the automatic password generation feature as an option.  This time, the perpetrator immediately started changing the answers to all of my security questions, effectively locking me out of my account.  I spent a week corresponding with Yahoo to try and recover my account, and received the same string of nonsensical form emails from unsympathetic customer service reps who refused to look into the situation because I could only answer 7 of the 8 security questions that they made me provide them "correctly" (via unsecure email no less).  I am still completely at a loss for why the record for my favorite pet's name didn't match the answer that I always give... it almost makes me think that this was an inside job.

Needless to say, I wasn't able to recover the Yahoo account that I've had for 8 years and lost most of my personal contacts.  I changed all of my passwords and the email addresses associated with every site I correspond with.  To this day, I still monitor all of my accounts for fraudulent activity and no longer store any credit card information in e-Commerce sites that could be linked to a web-based email account.  I am furious with Yahoo for not enabling me to recover my account and have subsequently opened a Gmail account.

I sympathize with everything you're going through and wanted to let you know that you're not alone.  I'm not sure why we were targeted or how they selected our names/accounts, but I would caution everyone who has a Yahoo account to be wary of this dangerous security flaw in their system.

Kristin Hersant
Redwood City, CA, USA