Caution: Check your Yahoo email security

[Zoidberg]

If you're on a radio hobbyist email list you may have received email from "Mark M" this weekend - just a URL with a nonsensical message.  It appears his Yahoo mail account was hacked this weekend, which appeared to have part of a large number of Yahoo email accounts hacked over the June 14-16 weekend, including a friend of mine.

Note: This appears to be an actual hack of a large number of Yahoo email accounts, not just spoofing.  My friend's account was shut down after suspicious activity was noted, but only after dozens of emails with suspicious links (probably to trojan installers) were sent to her contact list.

It's probably a good time to check your Yahoo account and change the password.  Also, if you pay for Yahoo's premium service, check your POP and advanced mail settings for forwarding addresses.  Sometimes hacked email accounts will forward mail to the hacker, so you'll want to disable that.  If I'm correctly remembering my own Yahoo account (which I rarely use) the freebie email doesn't include POP or advanced mail settings so you won't need to worry about that.

And this incident is a good example of why I don't use Yahoo mail.  It comes free with my ISP but Yahoo's security is so poor I never use that email service.  This is at least the third instance of a Yahoo email security breach in the past several years.  Even my old Hotmail account from the 1990s has better security, but mostly I use an old Netscape account (now AOL) and Gmail.

This appears to be a major ongoing problem with Yahoo mail throughout 2013: http://www.huffingtonpost.com/2013/05/31/yahoo-email-hacking_n_3366259.html

[moof]

Yep happened to me and someone I know as well in the last 24 hours.  Changing the password seems to have stopped it.  I don't remember clicking on anything suspect, and my password was a long mixed case nonsense string of letters and numbers so who knows how it was done.
The only indication was that wife and I immediately got a text from my yahoo acct and there were a dozen mail failures in the inbox all within a minute.  The email went to every email I had ever sent something to--not just contacts--it harvested EVERYTHING!  Nothing in the Sent folder either. 
I read that a good thing to do is send an email and add to contacts a nonexistent email -any jibberish like dvvdiwrifje4r9rifc@yahoo.com and at least you will get a failure notice if it is accessed again.

[ff]

Lex and moof - Thanks for the heads up and the tips.  I echo your concerns about Yahoo's lack of security.  Lately they seem to be focusing their energies on web crawling and intruding on user's privacy.  They have kept me stepping quickly to maintain the small amount of anonymity I still retain.  After 9 years I am seriously considering pulling the plug on the homebrewpirateradio group.  Its too bad.  I wish they would take the high road, but they seem to be wallowing in the same crap-filled mud hole that most of the Internet is happily sinking into.  Financial concerns always win out and the government sits back and rubs its hands with glee...

[moof]

ahhhhh!   It's ***YOU*** who runs that group.  I have been known to do a little something over that way now and then.  I bet group users are a subset of users on this side.

[ff]

ahhhhh!   It's ***YOU*** who runs that group.  I have been known to do a little something over that way now and then.  I bet group users are a subset of users on this side.

Well moof, ***SOMEONE*** has to run it -   I hope that it has helped you out.  It's certainly improved my game by about a thousand percent!  Undoubtedly most of our group are here also.  I hope this thread will get interested parties downloading desired group files now, in the event it does get shut down.  I'd certainly make a group announcement, but why not avoid the rush?  73...

[Zoidberg]

ff, don't give up too quickly on the group.  New Yahoo CEO Marissa Mayer seems to be trying to address some of the problems that have plagued Yahoo, including rampant slacking off by employees who were permitted to telecommute, but which tends to translate to "paid day off".  By all accounts from industry insiders she has a huge cultural shift to implement to turn the company around.

I used to be active on a few Yahoo radio groups but the reasons I quit weren't related to Yahoo.  For one thing, discussion forums are a huge time sink.  For another, the SWL groups tended to be overwhelmed by hams who were incapable of thinking like a shortwave radio listener. 

A typical example: Some poor newbie to the group, a fellow in a senior citizens assisted living home, would ask for help with an indoor antenna that he could manage to operate from his wheelchair.  Invariably the hamsters would begin arguing over whether a G5RV or T2FD mounted a full wavelength high outside would be best, and eventually would tell the poor guy he might as well not even bother with the SWL hobby if he couldn't put up a good outdoor antenna.

Meanwhile, efforts at realistic solutions for indoor antennas would be hooted down by said hamsters.  I finally gave up and left the SWL groups.

Incidentally, that reminds me - I need to revive my project on the Villard indoor homebrewed loop.  I read about it umpteen years ago in Joe Carr's book and finally tried it a year or so ago.  Darned thing works amazingly well.  I shot a demo video but my crappy 12 year old digicam only did something like 240x180 resolution video.  Now that I have a decent video recorder I should run the demo again.  It's amazing how well that Villard loop works with a small portable for indoor use.  It effectively nulls out most local RFI and provides a sharp null for receiving HF, even at 10-20 MHz, which was the peak for the test loop I slapped together out of foam core and aluminum foil.  A 3'x3' loop should get it down into the pirate funny bands.  But don't tell the hamsters on the Yahoo SWL group, unless you want an argument about G5RV vs. T2FD outdoors.   

[Zoidberg]

...my password was a long mixed case nonsense string of letters and numbers so who knows how it was done.

Interestingly, some security experts say those familiar suggestions for random alpha-numerics are wrong.  Supposedly automated hacks can break them easily, often within seconds.  My friend relied on the usual suggestions for a mixture of symbols, numerals and letters, and her six-to-eight character password was considered "strong" - but her Yahoo account has been hacked twice.

Some experts are recommending plain language words arranged in long nonsensical phrases.  At least one expert even recommends breaking up the words with blank spaces, which runs contrary to the usual suggestions to run words togetherlikethis, or use hyphens or other punctuation marks.

http://www.stormpath.com/blog/5-myths-password-security

[Pigmeat]

Yup something is up with Yahoo mail. Before I came over here my station account showed that I had message from "Commander" about the topic "Commander Bunny" coming from the old Rodent Revolution site.

As I'm the last guy in the world he would be emailing about anything, something is fishy in Yahooland.

[kmorgan]

tell me about it.. it happened to me (who's never been hacked, ever- and had my yahoo! account for over 15 yrs) which then same hack affected family members as well. I don't use an email client, I keep emails on their servers. After said hack, my yahoo! email settings were then changed as well   to their newer and crappier format which one canNOT change back to the old & more readable formatting way. This infuriated me much more than the stupid spamming.

One terrible effect of it was a family members yahoo mail is also received on her smart phone, which somehow the hack changed her AT&T settings! One other reason why I do not own or use a smart phone, nor even have a cell phone account.

Don't use those email clients (Windows Live et al) as those messages are stored on your computer instead of staying on the yahoo server, but to most if not all of you guys on this board that advice is probably just preaching to the choir. I'd also like to state that I don't open unknown files or click links in email so I wonder how this hack happened?
 
About to read the huffpo link I hadn't seen- but this yahoo hacking seems a bit more than just a simple annoying spamming deal. It's gone into my basic settings on my account also, and my family's phone settings. I caught it quickly and changed my passwords of course and I hope this does not happen again.

I'd like to find a good web based email provider (free) that does not have the option of signing in with other accounts- seems all of the providers I find have the "Sign in with your Google/Facebook/etc" I do not trust those types.

[Fansome]

UDXF has gotten a lot of these emails, and it has spawned some discussion, some of which seems useful. It's not just radio-related groups that are being hit; I belong to several other groups that are also having problems.

Re: [UDXF] Re: another spam email alert‏

Dennis Smith

2:12 AM

To: UDXF@yahoogroups.com

The problem with these Yahoo hacks is the password is only 5% of the
hack if used at all. These hacks are done at the server rather than
the users PC, but still involve impersonating you and stealing your
cookies to do it. Even if you change your password your account is
still going to be subject to the same old log-in issue.
 
There are several things you can do to help prevent being the victim
and changing passwords frequently to strong multi-character is only a
small step. Logging out after each session helps. Not clicking links
to unknown locations is one. Using a good browser such as Chrome and
not IE is a massive help (Chrome sandboxes each tab). Best of all have
a Gmail account as your main Email and never use your Yahoo account
except to log in to Yahoogroups. The biggest thing you can do to save
yourself from a problem like this is enabling 2 step or 2 factor
authentication. Doing these will not completely protect you, but will
make your odd's of risk very very small indeed.
 
And clear your cookies at least once a week.
 
Dennis Smith
M1DLG
 
On 18 June 2013 02:21, Clyde <n1bhh@yahoo.com> wrote:
> It may behoove everyone with a Yahoo mail, or any other account to change your password to something a bit more complicated than you currently have. Here are a couple you could try out, and be sure to print it up so you don't loose it. With all the talk on the news of the NSA snooping on us, why not pay attention to that? There are other hackers out there too, so why not pay attention to what is in the news? It affects everyone whether you want to believe it or not.
>
> http://www.freepasswordgenerator.com/
>
> http://www.pctools.com/guides/password/
>
>
> Clyde N1BHH
> Weymouth, Ma.
>
> --- In UDXF@yahoogroups.com, "Ary Boender" <ary@...> wrote:
>>
>> I noticed it and blocked his email address
>>
>>
>>
>> Ary
>>
>>
>>
>> Van: UDXF@yahoogroups.com [mailto:UDXF@yahoogroups.com] Namens wphil71
>> Verzonden: maandag 17 juni 2013 16:48
>> Aan: UDXF@yahoogroups.com
>> Onderwerp: [UDXF] another spam email alert
>>
>>
>>
>>
>>
>> hi,
>> just to let others know that i just got an email reportedly from our group
>> address, this time with a google docs attachment from romania.
>>
>> regards, Phil
>> VK3003SWL.

[Sealord]

Thanks for the heads up Lex - I still keep my yahoo account around, but it's empty ever since I switched to gmail awhile back.

[Zoidberg]

Here's an article on password security, including using longer, nonsensical phrases rather than the more familiar six-to-eight character mix of alpha-numerics - the latter of which appear to be incredibly easy to hack.

https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/

And here's a doodad that helps you estimate the security of a password: http://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html

There are several similar articles this year on the same topic, all giving pretty much the same advice, and all pointing to the same xkcd comic strip.  Which either proves (1) the experts all agree! (2) there are no real people left on the internets, just a bunch of bots and sock puppets all posting the same stuff.   

[redhat]

I've had a few of these messages show up in my inbox over the last few months, most from yahoo address.  My usual policy it to reply to it with something like "looks like spam to me!"  I do this because in many instances, people aren't aware their account has been hacked, and this gives them a heads up about what going on.

+-RH

[Pigmeat]

I've got my current Firefox browser set up to clear cookies after every session which helps......... but I just ran a spyware check of my computer before I logged on. I normally do it on Sunday and I've found I average about one piece of the crap a month.

This past Sunday, I found the monthly turd. This morning when running a new check I found eight more. Something is up on the interwebz.

My guess is it was triggered by the announcement that Yahoo was going to free up old unused email addy's for new users? I would think that hackers that keep Yahoo addresses as backups weren't happy about hearing that.

Use the turd blaster of your choice and check your computers.

[ff]

ff, don't give up too quickly on the group.  New Yahoo CEO Marissa Mayer seems to be trying to address some of the problems that have plagued Yahoo, including rampant slacking off by employees who were permitted to telecommute, but which tends to translate to "paid day off".  By all accounts from industry insiders she has a huge cultural shift to implement to turn the company around.

Lex - thanks for the encouragement.  I have been having the security problems for a couple of weeks now and the tips from all in this thread are MUCH appreciated.  I have some things to try now.  However, my biggest bugaboo with Yahoo that is forcing the group issue I speak of is they are now getting much more proactive at tracking, snooping, and linking.  This greatly threatens anonymity.  I realize they are only playing catch up with Google, Facebook, et al, in their quest to give advertisers better focused ads.  However it shoots the hell out of keeping all my privacy ducks in a row.  I'm focused on building transmitters - not on advanced web security techniques - and have no interest in changing.  I've always considered computers and the Internet to be great tools for whatever one's passion is.  However, when using, maintaining, and upgrading the tool begins to take an inordinate amount of time and energy, maybe its time to rethink, and retool...

the SWL groups tended to be overwhelmed by hams who were incapable of thinking like a shortwave radio listener. 

I hear you brother.  Although many if not most in our group are licensed hams, they are pirates FIRST.  I've taken some flack over the years about being too selective with applicants.  But with playing "Katie bar the door" things stay pretty realistic over there.  An example that NEVER works when applying is : "I am an Extra Class Ham".  They lead with the wrong foot... always a dead giveaway... 

Thanks everyone for your info and suggestions...